CIPP/E Study Guide
Ch 13.4 - Administrative supervision

Independent national regulators and their tasks (Articles 51–57, 59)

Only the DPA|DPAs hold administrative supervisory and enforcement powers under the GDPR. They must be independent public authorities (Articles 51–52) with sufficient skills and resources. Their tasks live in Article 57 - monitoring and enforcing the GDPR, raising awareness, handling complaints, investigating, supporting consistency and the EDPB, approving codes/certifications and transfer mechanisms, and keeping records of infringements. They must serve individuals and DPOs free of charge, and publish annual activity reports (Article 59).

The DPAs are the only bodies equipped with administrative supervisory and enforcement powers under the GDPR. Member states must designate independent public authorities that act with complete independence. The importance of independence was tested in Commission v. Germany, where Germany was found to have improperly made its regional regulators 'subject to State scrutiny'.

  • Monitor and enforce the GDPR; advise national parliaments and governments (Article 36(4) embeds the DPA in lawmaking)
  • Promote awareness of risks, safeguards and rights (Art 57(1)(b),(d))
  • Handle complaints and carry out investigations (Art 57(1)(f),(h)), with standardised complaint forms (Art 57(2))
  • Support consistent application internationally - consistency mechanism, mutual assistance, support the EDPB (Art 57(1)(e)–(h))
  • Publish DPIA lists (Art 35(4)), approve codes/certifications and transfer mechanisms, keep records of infringements (Art 57(1)(u))
Charging rules

Article 57(3): DPAs cannot charge data subjects or DPOs for their services. But Article 57(4) lets them charge back administration costs for manifestly unfounded or excessive requests.

Key terms - quick answers

What is “Independence”?
Articles 51–52 - DPAs must act with complete independence, with sufficient skills and resources (Art 52(4)) and not be subject to State scrutiny.
What is “Article 57 tasks”?
The long list of DPA duties: monitor and enforce, raise awareness, handle complaints, investigate, advise parliaments, support consistency and the EDPB, approve codes/certifications/transfers, keep records.
What is “Activity reports”?
Article 59 - DPAs must publish regular (annual) public reports on their activities, promoting transparency in the regulatory system.
What is “Professional secrecy”?
Article 54(2) - DPAs and their staff are bound by professional secrecy regarding confidential information they access.