IAPP Training · Module 11 - BoK IV.C / IV.D
Module 11 · Supervisory authorities & Article 58 powers
(a.k.a. ) are the bodies the GDPR tasks with promoting, monitoring and enforcing the regulation. Their toolkit comes in three categories under Article 58: investigative powers, corrective powers and authorisation and advisory powers.
The GDPR gives each Member State one or more independent (SAs), commonly called (DPAs). Their job is to promote, monitor and enforce the GDPR.
- Promote awareness and provide advice
- Conduct investigations
- Protect fundamental rights and handle complaints
- Publish annual reports
- Facilitate the free flow of personal data within the EU
| Category | What it lets the SA do | Examples |
|---|---|---|
| Investigative | Gather facts about compliance | Order information, carry out audits/data protection reviews, access premises and data |
| Corrective | Compel change and punish breaches | Warnings, reprimands, orders to comply, temporary or definitive processing bans, administrative fines |
| Authorisation & advisory | Approve and advise | Advise controllers, approve contractual clauses, accredit certification bodies, approve codes of conduct |
Exam anchor
If a question asks WHO promotes, monitors and enforces the GDPR, the answer is the supervisory authority - not the controller, processor or EDPS.
Key terms - quick answers
What is “Supervisory authority (SA)”?
An independent public body in each Member State that promotes, monitors and enforces the GDPR; also called a data protection authority (DPA).
What is “Investigative powers”?
Article 58(1) powers to obtain information, carry out audits and access premises and data to investigate compliance.
What is “Corrective powers”?
Article 58(2) powers including warnings, reprimands, orders, processing bans and administrative fines.
What is “Authorisation and advisory powers”?
Article 58(3) powers to advise, approve clauses, certifications and codes, and authorise certain processing.