Regulators' powers under Article 58: investigatory, corrective, authorisation/advisory
grants the DPAs three types of power: investigatory (Art 58(1)), corrective (Art 58(2)), and authorisation and advisory (Art 58(3)). Investigatory powers give comprehensive access to evidence, documents and premises - including audits and inspections - leaving controllers 'nowhere to hide'. Corrective powers run from warnings to ordering processing to stop. DPAs can also litigate (Art 58(5)), subject to safeguards (Art 58(4)).
| Category | Article | What it covers | Examples |
|---|---|---|---|
| Investigatory | 58(1) | Access to evidence, documents and processing, plus a mechanism to start investigations | Order the provision of information; obtain accountability documents (Arts 24, 25, 28, 30, 33, 35); carry out audits and inspect premises and equipment; notify alleged infringements |
| Corrective | 58(2) | The full spectrum from warning to halting processing | Warnings, reprimands, orders to comply with data subject requests, ban or order processing to stop, order erasure, impose administrative fines |
| Authorisation & advisory | 58(3) | Maps to codes, certification, marks/seals and international transfers | Approve criteria/codes/certification bodies; authorise contractual clauses; approve BCRs; advise parliaments and controllers |
Many see fines as the biggest risk, but being ordered to stop data processing (a corrective power) can be a far more dramatic outcome for a data-centric business. Privileged documents (legal professional privilege; privilege against self-incrimination) are the main limit on investigatory disclosure.
The DPAs have two lines of attack: the written data protection system (policies, records, risk assessments) and the live business operations (via audits and inspections). Article 58(5) gives DPAs power to litigate; Article 58(4) is a safeguards provision protecting those affected by regulatory action.