A Guide to Data Protection Authorities

by Jennifer L. Legal writer.
A Guide to Data Protection Authorities

Data Protection Authorities, or DPAs, play a unique role in enforcing data protection laws across the European Union (EU). They have many duties, but one of their main roles is to ensure that businesses across Member States adhere to the obligations set out in the General Data Protection Regulation (GDPR).

The GDPR has the effect of harmonizing data protection laws across the EU. This means that data protection laws are the same in all Member States. Harmonizing data protection across Member States means that it's easier for businesses to comply with the rules, and EU citizens better understand how the law protects them.

Let's consider what a Data Protection Authority is and what role it plays.


Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.


What are Data Protection Authorities?

Data Protection Authorities are independent organizations that uphold data protection rights across their territory. Each Member State appoints its own Data Protection Authority, and some appoint multiple DPAs that each have jurisdiction over different areas of data protection law.

These Authorities, also known as Supervisory Authorities, are provided for by Article 51:

GDPR Info: Article 51 - Supervisory authority excerpt

At the head of each Data Protection Authority is a commissioner or president. These individuals oversee the work of their DPA and promote transparency and consistency across the EU.

For example, the UK's Data Protection Authority is the ICO, or the Information Commissioner's Office:

Screenshot of ICO website header and menu

You can find out more about the UK's Information Commissioner by scrolling down the page and clicking the profile in the sidebar:

ICO Take action menu with links

It's important to remember that Data Protection Authorities and their commissioners are not the same as Data Protection Officers. Data Protection Officers may be appointed by companies who process large volumes of data, but this is a separate matter. All you need to know is that not all companies need to appoint Data Protection Officers, but every Member State has at least one Data Protection Authority.

The Role and Function of Data Protection Authorities

The Role and Function of Data Protection Authorities

Without Data Protection Authorities, it would be extremely difficult to enforce data protection consistently across the EU, and businesses would struggle to even understand the GDPR and how it affects them. DPAs regularly do all of the following:

  • Handle reports of data breaches and provide monitoring reports of their own activities
  • Enforce data protection law at national level only
  • Mediate
  • Educate businesses on proper data protection protocols
  • Interpret EU law
  • Handle fines and other penalties

If you're a company, it's unlikely you'll interact directly with a Data Protection Authority unless you:

  • Are subject to a complaint
  • Must report a data breach
  • Handle very high volumes of data
  • Directly approach the DPA for advice

Think of them like a court - they have legal jurisdiction over you, but it's unlikely you'll deal with them directly.

Relationship with Data Controllers and Processors

DPAs differentiate between organizations that control or process personal data, meaning Data Processors and Data Controllers. In brief, here's what these organizations are:

  • Data Controllers decide what data the organization collects, why the data is collected, and how it's handled. In other words, it's often the business that the customer interacts with.
  • Data Processors process data on behalf of the Data Controller and according to instructions given by the controller.

Here's an example to make it more clear.

An IT company hires a payroll company to handle its wages. The IT company gives the payroll company data such as what to pay the employee, whether there's any sick pay or holiday pay, if there's a pay rise, and when to pay them. The payroll company stores this data to process it.

In this relationship, the Data Controller is the IT company. The Data Processor is the payroll company.

According to Article 33, it's the Data Controller who is responsible for notifying a DPA if there's a data breach:

GDPR Info: Article 33 - Notification of a personal data breach to the supervisory authority excerpt

If the Data Processor is in a 'third country,' or outside the EU, they must still abide by the GDPR, as is made clear by Article 44:

GDPR Info: Article 44 - General principle for transfers

What this all means is that DPAs treat Controllers and Processors slightly differently. Controllers are ultimately responsible for what happens to personal data, because Processors only work for the Controller. It's on Controllers to ensure that:

  • Processors properly safeguard information
  • They only share the necessary amount of information with Processors
  • They immediately report and remedy any breaches found

Of course, this doesn't detract from the point that DPAs have jurisdiction over Processors operating in their jurisdiction. They simply differentiate between Controllers and Processors.

The Consistency Mechanism

The Consistency Mechanism

Despite the attempts to harmonize laws across the EU, there's always a risk that decisions made by DPAs across Member States will be inconsistent. That's where the Consistency Mechanism applies.

The Consistency Mechanism means that if an organization engages in data processing involving at least two Member States, and a DPA wants to take action on the data, the Authority must consult with other DPAs who are potentially involved to ensure they approve of the action. This keeps decisions consistent across the EU.

For example, if a German company engages in data processing affecting Spain, France, and Finland, and the French DPA wishes to action it, they must consult with Spain, Finland, and Germany first.

Article 63 provides for the Consistency Mechanism:

GDPR Info: Article 63 - Consistency mechanism

Cooperation

Alongside the Consistency Mechanism is the principle of cooperation. The GDPR obliges DPAs to work alongside each other to facilitate the proper enforcement of the law across the EU. This obligation is set out in Article 60:

GDPR Info: Article 60 - Cooperation between supervisory authorities excerpt

Enforcement and Penalties

Data Protection Authorities can bring legal action against companies who break EU law. They can also investigate allegations of wrongdoing and impose penalties.

Article 83 sets out the conditions for imposing financial penalties on organizations. The fine must be proportionate, effective, and designed to discourage other companies from taking similar action.

Given the spirit of cooperation between Member States, DPAs can also look at fines imposed by other DPAs in similar circumstances to decide what's fair and reasonable.

Impartiality

Data Protection Authorities must be free from all external influences, including government influence. This is set out in Article 52:

GDPR Info: Article 52  Independence excerpt

Independence ensures that DPAs operate consistently across the EU and make fair decisions without chance of corruption.

Jurisdiction

Jurisdiction

As mentioned, a Data Protection Authority only has jurisdiction over its Member State. This means that it doesn't have jurisdiction over data processes outside its own territory. For example, if you're UK-based and you only market goods and services to UK customers, only the ICO has jurisdiction over you; not, for example, the neighboring Commission in Ireland.

There is, however, an exception to this rule.

The One-Stop Shop

The One-Stop Shop principle applies when personal data travels across Member States. For example, if a UK business receives personal data from Spanish citizens. In these circumstances, both the UK and Spain may have jurisdiction over the same data.

So, which DPA actually has authority? You can claim one DPA as your "lead" DPA based on:

  • Your main place of business
  • Where the Data Controller is based

Essentially, you choose the authority with jurisdiction over the data the same way you'd choose a court of law in a cross-border dispute. For example, if you're UK-based, you can argue that the ICO is responsible.

How DPAs are Chosen

According to Articles 53 and 54 of the GDPR, members of supervisory authorities must::

  • Be chosen in a clear and transparent manner
  • Have the qualifications and skills to perform the role
  • Be subject to proper secrecy and confidentiality

These guidelines ensure that only properly qualified individuals are chosen as DPAs, and that the criteria is the same across the EU.

Data Protection Authorities by Member State

Data Protection Authorities by Member State

Here are the names of each Data Protection Authority and the Member State over which they have primary jurisdiction. We've also included a directory here for your convenience.

Austria

DPA: Österreichische Datenschutzbehörde
Member: Dr. Andrea Jelinek, Director
email: [email protected]

Belgium

DPA: Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)
Member: Mr. David Stevens, President
email: [email protected]

Bulgaria

DPA: Commission for Personal Data Protection
Member: Mr. Ventsislav Karadjov, Chairman of the Commission for Personal Data Protection
email: [email protected]

Croatia

DPA: Croatian Personal Data Protection Agency
Member: Mr. Anto Rajkovaca, Director
email: [email protected]

Cyprus

DPA: Commissioner for Personal Data Protection
Member: Ms. Irene Loizidou Nikolaidou, Commissioner for Personal Data Protection
email: [email protected]

Czech Republic

DPA: Office for Personal Data Protection
Member: Ms. Ivana Janu, President
email: [email protected]

Denmark

DPA: Datatilsynet
Member: Ms. Cristina Angela Gulisano, Director
email: [email protected]

Estonia

DPAs: European Data Protection Supervisor and the Estonian Data Protection Inspectorate

Member: Mr. Wojciech Wiewiorowski, European Data Protection Supervisor
email: [email protected]

Member: Ms. Pille Lehis, Director General (Estonian Data Protection Inspectorate)
email: [email protected]

Finland

DPA: Office of the Data Protection Ombudsman
Member: Mr. Reijo Aarnio, Ombudsman
email: [email protected]

France

DPA: Commission Nationale de l'Informatique et des Libertés (CNIL)
Member: Ms. Marie-Laure Denis, President of CNIL

Germany

DPA: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Member and joint representative: Mr. Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information
email: [email protected]

Note that there are multiple authorities across Germany with shared jurisdiction over data protection matters.

Greece

DPA: Hellenic Data Protection Authority
Member: Mr. Konstantinos Menoudakos, President of the Hellenic Data Protection Authority
email: [email protected]

Hungary

DPA: Hungarian National Authority for Data Protection and Freedom of Information
Member: Dr. Attila Peterfalvi, President of the National Authority for Data Protection and Freedom of Information
email: [email protected]

Iceland (EEA)

DPA: Persónuvernd or here
Member: Ms. Helga Porisdottir, Commissioner
email: [email protected]

Ireland

DPA: Data Protection Commission
Member: Ms. Helen Dixon, Data Protection Commissioner
email: [email protected]

Italy

DPA: Garante per la protezione dei dati personali
Member: Mr. Antonello Soro, President of Garante per la protezione dei dati personali
email: [email protected]

Latvia

DPA: Data State Inspectorate
Member: Ms. Daiga Avdejanova, Director of Data State Inspectorate
email: [email protected]

Liechtenstein (EEA)

DPA: Data Protection Office, Principality of Liechtenstein
Member: Dr. Marie-Louise Gachter, Commissioner
email: [email protected]

Lithuania

DPA: State Data Protection Inspectorate
Member: Mr. Raimondas Andrijauskas, Director of the State Data Protection Inspectorate
email: [email protected]

Luxembourg

DPA: Commission Nationale pour la Protection des Données
Member: Ms. Tine A. Larsen, President of the Commission Nationale pour la Protection des Données
email: [email protected]

Malta

DPA: Office of the Information and Data Protection Commissioner
Member: Mr. Saviour Cachia, Information and Data Protection Commissioner
email: [email protected]

Netherlands

DPA: Autoriteit Persoonsgegevens
Member: Mr. Aleid Wolfsen, Chairman of the Autoriteit Persoonsgegevens

Norway (EEA)

DPA: Datatilsynet
Member: Mr. Bjorn Erik Thon, Director
email: [email protected]

Poland

DPA: Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
Member: Mr. Jan Nowak, President of the Personal Data Protection Office
email: [email protected]; [email protected]

Portugal

DPA: Comissão Nacional de Protecção de Dados (CNPD)
Member: Ms. Filipa Calvao, President, Comissão Nacional de Protecçãoo de Dados
email: [email protected]

Romania

DPA: The National Supervisory Authority for Personal Data Processing
Member: Ms. Ancuta Gianina Opre, President of the National Supervisory Authority for Personal Data Processing
email: [email protected]

Slovakia

DPA: Office for Personal Data Protection of the Slovak Republic
Member: Ms. Sona Potheova, President of the Office for Personal Data Protection of the Slovak Republic
email: [email protected]

Slovenia

DPA: Information Commissioner of the Republic of Slovenia
Member: Ms. Mojca Prelesnik, Information Commissioner of the Republic of Slovenia
email: [email protected]

Spain

DPA: Agencia Española de Protección de Datos (AEPD)
Member: Ms. Maria del Mar Espana Marti, Director of the Spanish Data Protection Agency
email: [email protected]

Sweden

DPA: Datainspektionen
Member: Ms. Lena Lindgren Schelin, Director General of the Data Inspection Board
email: [email protected]

United Kingdom

DPA: The Information Commissioner's Office (ICO)
Member: Ms. Elizabeth Denham, Information Commissioner
email: [email protected]

Note that it's unclear what will happen to the relationship between this DPA and the EU following the UK's exit from the EU in 2020.

Conclusion

Data Protection Authorities are responsible for enforcing EU data protection law. Each Member State appoints its own DPA, which has jurisdiction over data controlled and processed in that Member State. DPAs supervise both Data Processors and Data Controllers, although Data Controllers are ultimately responsible for safeguarding data.

DPAs can enforce law at national level, and they cooperate with other DPAs to ensure that EU law is applied consistently across Member States. In the event of a dispute over which DPA has authority, you can choose your DPA based on where your business is based or where your Data Controller is.

DPAs are essential to upholding the GDPR, and you should understand how they operate in order to comply with the law.

Last updated on 05 January 2021

Article categories

Jennifer L.

Legal writer.