National supervisory authorities

National supervisory authorities play an important role in protecting data subjects’ rights with regard to the processing of their personal data.

To ensure the protection of data subject’s rights, national supervisory authorities are assigned specific tasks as well as a number of investigative, corrective and advisory powers. In addition, they facilitate the submission of complaints by data subjects making available an electronic complaint form and they have an obligation to inform the complainant about the progress and the outcome of the investigation. For the effective exercise of its powers the supervisory authority has the right to bring infringements to the attention of the judicial authorities by starting or being otherwise engaged in legal proceedings.

Each national supervisory authority is empowered to monitor any data processing activity that takes place within its territory (jurisdiction). It is also charged with the task to monitor any data processing activities that target data subjects residing in its territory, even in those situations where the activities are carried out by non-EU data controllers or processors. However, since in an online environment data does not always respect borders, the territorial jurisdiction of a national supervisory authority is not always clear cut. Just think of the following situations:

a) an entity processes the personal data of data subjects situated in more than one EU Member State or,

b) the data controller or processor has multiple establishments within various Member States of the EU.

The above situations are already indicative that the jurisdictional delineation can go beyond the EU borders and involve third countries, but it can also give rise to jurisdictional overlaps and competence disputes between national supervisory authorities in various Member States. For avoiding situations in which more than one national supervisory authority are competent, the GDPR has introduced the legal concept of the lead supervisory authority or LSA.

When national supervisory authorities realise that a case brought before them has a cross-border dimension, as in the previous examples, they refer the case to the LSA which decides if it will handle the case or not within three weeks. Article 56 GDPR provides that the lead supervisory authority for cross-border processing of data will be the authority that is competent to supervise the entity engaged in data processing of individuals in different countries or, the authority competent to supervise the main establishment of the data controller or processor in case this has different establishments in several Member States.

This regulation is not only administratively efficient in the sense that it avoids disputes over competences between national supervisory authorities and situations where these authorities shy away from assuming responsibility, but it also reduces the administrative burden of companies. Businesses will only have to deal with one supervisory authority: the one in the country in which their main establishment is based.