A Guide to Data Protection Authorities
Data Protection Authorities, or DPAs, play a unique role in enforcing data protection laws across the European Union (EU). They have many duties, but one of their main roles is to ensure that businesses across Member States adhere to the obligations set out in the General Data Protection Regulation (GDPR).
The GDPR has the effect of harmonizing data protection laws across the EU. This means that data protection laws are the same in all Member States. Harmonizing data protection across Member States means that it's easier for businesses to comply with the rules, and EU citizens better understand how the law protects them.
Let's consider what a Data Protection Authority is and what role it plays.
- 1. What are Data Protection Authorities?
- 2. The Role and Function of Data Protection Authorities
- 2.1. Relationship with Data Controllers and Processors
- 2.2. The Consistency Mechanism
- 2.3. Cooperation
- 2.4. Enforcement and Penalties
- 2.5. Impartiality
- 2.6. Jurisdiction
- 2.7. The One-Stop Shop
- 2.8. How DPAs are Chosen
- 3. Data Protection Authorities by Member State
- 3.1. Austria
- 3.2. Belgium
- 3.3. Bulgaria
- 3.4. Croatia
- 3.5. Cyprus
- 3.6. Czech Republic
- 3.7. Denmark
- 3.8. Estonia
- 3.9. Finland
- 3.10. France
- 3.11. Germany
- 3.12. Greece
- 3.13. Hungary
- 3.14. Iceland (EEA)
- 3.15. Ireland
- 3.16. Italy
- 3.17. Latvia
- 3.18. Liechtenstein (EEA)
- 3.19. Lithuania
- 3.20. Luxembourg
- 3.21. Malta
- 3.22. Netherlands
- 3.23. Norway (EEA)
- 3.24. Poland
- 3.25. Portugal
- 3.26. Romania
- 3.27. Slovakia
- 3.28. Slovenia
- 3.29. Spain
- 3.30. Sweden
- 3.31. United Kingdom
- 4. Conclusion
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
What are Data Protection Authorities?
Data Protection Authorities are independent organizations that uphold data protection rights across their territory. Each Member State appoints its own Data Protection Authority, and some appoint multiple DPAs that each have jurisdiction over different areas of data protection law.
These Authorities, also known as Supervisory Authorities, are provided for by Article 51:
At the head of each Data Protection Authority is a commissioner or president. These individuals oversee the work of their DPA and promote transparency and consistency across the EU.
For example, the UK's Data Protection Authority is the ICO, or the Information Commissioner's Office:
You can find out more about the UK's Information Commissioner by scrolling down the page and clicking the profile in the sidebar:
It's important to remember that Data Protection Authorities and their commissioners are not the same as Data Protection Officers. Data Protection Officers may be appointed by companies who process large volumes of data, but this is a separate matter. All you need to know is that not all companies need to appoint Data Protection Officers, but every Member State has at least one Data Protection Authority.
The Role and Function of Data Protection Authorities
Without Data Protection Authorities, it would be extremely difficult to enforce data protection consistently across the EU, and businesses would struggle to even understand the GDPR and how it affects them. DPAs regularly do all of the following:
- Handle reports of data breaches and provide monitoring reports of their own activities
- Enforce data protection law at national level only
- Mediate
- Educate businesses on proper data protection protocols
- Interpret EU law
- Handle fines and other penalties
If you're a company, it's unlikely you'll interact directly with a Data Protection Authority unless you:
- Are subject to a complaint
- Must report a data breach
- Handle very high volumes of data
- Directly approach the DPA for advice
Think of them like a court - they have legal jurisdiction over you, but it's unlikely you'll deal with them directly.
Relationship with Data Controllers and Processors
DPAs differentiate between organizations that control or process personal data, meaning Data Processors and Data Controllers. In brief, here's what these organizations are:
- Data Controllers decide what data the organization collects, why the data is collected, and how it's handled. In other words, it's often the business that the customer interacts with.
- Data Processors process data on behalf of the Data Controller and according to instructions given by the controller.
Here's an example to make it more clear.
An IT company hires a payroll company to handle its wages. The IT company gives the payroll company data such as what to pay the employee, whether there's any sick pay or holiday pay, if there's a pay rise, and when to pay them. The payroll company stores this data to process it.
In this relationship, the Data Controller is the IT company. The Data Processor is the payroll company.
According to Article 33, it's the Data Controller who is responsible for notifying a DPA if there's a data breach:
If the Data Processor is in a 'third country,' or outside the EU, they must still abide by the GDPR, as is made clear by Article 44:
What this all means is that DPAs treat Controllers and Processors slightly differently. Controllers are ultimately responsible for what happens to personal data, because Processors only work for the Controller. It's on Controllers to ensure that:
- Processors properly safeguard information
- They only share the necessary amount of information with Processors
- They immediately report and remedy any breaches found
Of course, this doesn't detract from the point that DPAs have jurisdiction over Processors operating in their jurisdiction. They simply differentiate between Controllers and Processors.
The Consistency Mechanism
Despite the attempts to harmonize laws across the EU, there's always a risk that decisions made by DPAs across Member States will be inconsistent. That's where the Consistency Mechanism applies.
The Consistency Mechanism means that if an organization engages in data processing involving at least two Member States, and a DPA wants to take action on the data, the Authority must consult with other DPAs who are potentially involved to ensure they approve of the action. This keeps decisions consistent across the EU.
For example, if a German company engages in data processing affecting Spain, France, and Finland, and the French DPA wishes to action it, they must consult with Spain, Finland, and Germany first.
Article 63 provides for the Consistency Mechanism:
Cooperation
Alongside the Consistency Mechanism is the principle of cooperation. The GDPR obliges DPAs to work alongside each other to facilitate the proper enforcement of the law across the EU. This obligation is set out in Article 60:
Enforcement and Penalties
Data Protection Authorities can bring legal action against companies who break EU law. They can also investigate allegations of wrongdoing and impose penalties.
Article 83 sets out the conditions for imposing financial penalties on organizations. The fine must be proportionate, effective, and designed to discourage other companies from taking similar action.
Given the spirit of cooperation between Member States, DPAs can also look at fines imposed by other DPAs in similar circumstances to decide what's fair and reasonable.
Impartiality
Data Protection Authorities must be free from all external influences, including government influence. This is set out in Article 52:
Independence ensures that DPAs operate consistently across the EU and make fair decisions without chance of corruption.
Jurisdiction
As mentioned, a Data Protection Authority only has jurisdiction over its Member State. This means that it doesn't have jurisdiction over data processes outside its own territory. For example, if you're UK-based and you only market goods and services to UK customers, only the ICO has jurisdiction over you; not, for example, the neighboring Commission in Ireland.
There is, however, an exception to this rule.
The One-Stop Shop
The One-Stop Shop principle applies when personal data travels across Member States. For example, if a UK business receives personal data from Spanish citizens. In these circumstances, both the UK and Spain may have jurisdiction over the same data.
So, which DPA actually has authority? You can claim one DPA as your "lead" DPA based on:
- Your main place of business
- Where the Data Controller is based
Essentially, you choose the authority with jurisdiction over the data the same way you'd choose a court of law in a cross-border dispute. For example, if you're UK-based, you can argue that the ICO is responsible.
How DPAs are Chosen
According to Articles 53 and 54 of the GDPR, members of supervisory authorities must::
- Be chosen in a clear and transparent manner
- Have the qualifications and skills to perform the role
- Be subject to proper secrecy and confidentiality
These guidelines ensure that only properly qualified individuals are chosen as DPAs, and that the criteria is the same across the EU.
Data Protection Authorities by Member State
Here are the names of each Data Protection Authority and the Member State over which they have primary jurisdiction. We've also included a directory here for your convenience.
Austria
DPA: Österreichische Datenschutzbehörde
Member: Dr. Andrea Jelinek, Director
email: [email protected]
Belgium
DPA: Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)
Member: Mr. David Stevens, President
email: [email protected]
Bulgaria
DPA: Commission for Personal Data Protection
Member: Mr. Ventsislav Karadjov, Chairman of the Commission for Personal Data Protection
email: [email protected]
Croatia
DPA: Croatian Personal Data Protection Agency
Member: Mr. Anto Rajkovaca, Director
email: [email protected]
Cyprus
DPA: Commissioner for Personal Data Protection
Member: Ms. Irene Loizidou Nikolaidou, Commissioner for Personal Data Protection
email: [email protected]
Czech Republic
DPA: Office for Personal Data Protection
Member: Ms. Ivana Janu, President
email: [email protected]
Denmark
DPA: Datatilsynet
Member: Ms. Cristina Angela Gulisano, Director
email: [email protected]
Estonia
DPAs: European Data Protection Supervisor and the Estonian Data Protection Inspectorate
Member: Mr. Wojciech Wiewiorowski, European Data Protection Supervisor
email: [email protected]
Member: Ms. Pille Lehis, Director General (Estonian Data Protection Inspectorate)
email: [email protected]
Finland
DPA: Office of the Data Protection Ombudsman
Member: Mr. Reijo Aarnio, Ombudsman
email: [email protected]
France
DPA: Commission Nationale de l'Informatique et des Libertés (CNIL)
Member: Ms. Marie-Laure Denis, President of CNIL
Germany
DPA: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Member and joint representative: Mr. Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information
email: [email protected]
Note that there are multiple authorities across Germany with shared jurisdiction over data protection matters.
Greece
DPA: Hellenic Data Protection Authority
Member: Mr. Konstantinos Menoudakos, President of the Hellenic Data Protection Authority
email: [email protected]
Hungary
DPA: Hungarian National Authority for Data Protection and Freedom of Information
Member: Dr. Attila Peterfalvi, President of the National Authority for Data Protection and Freedom of Information
email: [email protected]
Iceland (EEA)
DPA: Persónuvernd or here
Member: Ms. Helga Porisdottir, Commissioner
email: [email protected]
Ireland
DPA: Data Protection Commission
Member: Ms. Helen Dixon, Data Protection Commissioner
email: [email protected]
Italy
DPA: Garante per la protezione dei dati personali
Member: Mr. Antonello Soro, President of Garante per la protezione dei dati personali
email: [email protected]
Latvia
DPA: Data State Inspectorate
Member: Ms. Daiga Avdejanova, Director of Data State Inspectorate
email: [email protected]
Liechtenstein (EEA)
DPA: Data Protection Office, Principality of Liechtenstein
Member: Dr. Marie-Louise Gachter, Commissioner
email: [email protected]
Lithuania
DPA: State Data Protection Inspectorate
Member: Mr. Raimondas Andrijauskas, Director of the State Data Protection Inspectorate
email: [email protected]
Luxembourg
DPA: Commission Nationale pour la Protection des Données
Member: Ms. Tine A. Larsen, President of the Commission Nationale pour la Protection des Données
email: [email protected]
Malta
DPA: Office of the Information and Data Protection Commissioner
Member: Mr. Saviour Cachia, Information and Data Protection Commissioner
email: [email protected]
Netherlands
DPA: Autoriteit Persoonsgegevens
Member: Mr. Aleid Wolfsen, Chairman of the Autoriteit Persoonsgegevens
Norway (EEA)
DPA: Datatilsynet
Member: Mr. Bjorn Erik Thon, Director
email: [email protected]
Poland
DPA: Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
Member: Mr. Jan Nowak, President of the Personal Data Protection Office
email: [email protected]; [email protected]
Portugal
DPA: Comissão Nacional de Protecção de Dados (CNPD)
Member: Ms. Filipa Calvao, President, Comissão Nacional de Protecçãoo de Dados
email: [email protected]
Romania
DPA: The National Supervisory Authority for Personal Data Processing
Member: Ms. Ancuta Gianina Opre, President of the National Supervisory Authority for Personal Data Processing
email: [email protected]
Slovakia
DPA: Office for Personal Data Protection of the Slovak Republic
Member: Ms. Sona Potheova, President of the Office for Personal Data Protection of the Slovak Republic
email: [email protected]
Slovenia
DPA: Information Commissioner of the Republic of Slovenia
Member: Ms. Mojca Prelesnik, Information Commissioner of the Republic of Slovenia
email: [email protected]
Spain
DPA: Agencia Española de Protección de Datos (AEPD)
Member: Ms. Maria del Mar Espana Marti, Director of the Spanish Data Protection Agency
email: [email protected]
Sweden
DPA: Datainspektionen
Member: Ms. Lena Lindgren Schelin, Director General of the Data Inspection Board
email: [email protected]
United Kingdom
DPA: The Information Commissioner's Office (ICO)
Member: Ms. Elizabeth Denham, Information Commissioner
email: [email protected]
Note that it's unclear what will happen to the relationship between this DPA and the EU following the UK's exit from the EU in 2020.
Conclusion
Data Protection Authorities are responsible for enforcing EU data protection law. Each Member State appoints its own DPA, which has jurisdiction over data controlled and processed in that Member State. DPAs supervise both Data Processors and Data Controllers, although Data Controllers are ultimately responsible for safeguarding data.
DPAs can enforce law at national level, and they cooperate with other DPAs to ensure that EU law is applied consistently across Member States. In the event of a dispute over which DPA has authority, you can choose your DPA based on where your business is based or where your Data Controller is.
DPAs are essential to upholding the GDPR, and you should understand how they operate in order to comply with the law.