All of the EU’s member states must provide one or more independent supervisory authorities, which must act independently of the government and must be provided with adequate resource-noindexs to undertake their duties.
Supervisory authorities’ tasks will include:
- Monitoring the application of GDPR
- Promoting public awareness
- Handling complaints raised
- Give advice on processing operations when consulted
- Review certifications and conduct accreditation of certification bodies
- Approve binding corporate rules
Each supervisory authorities’ powers will include:
- The power to investigate through data protection audits
- Corrective powers through:
- warnings,
- reprimands,
- limitations on processing
- Withdrawal of certifications
- Impose administration fines
- Suspend data flows to third countries
- Authorisation and advisory powers
Entities operating in more than one state can choose a lead supervisory authority for all their pan-EU activities in order that they need liaise with only one SA. These lead authorities will monitor compliance in respect of cross-border processing by an organisation whose main establishment is in that Member State.