Supervisory Authority

An independent public authority established by an EU member state responsible for monitoring GDPR application, as defined in Article 51. Each member state must establish at least one supervisory authority (commonly called Data Protection Authorities or DPAs), though some have multiple authorities with sector or regional jurisdictions. Supervisory authorities have extensive powers including: investigating violations, conducting audits, issuing warnings and reprimands, ordering processing corrections or restrictions, imposing administrative fines up to €20 million or 4% of global annual turnover, approving Binding Corporate Rules, and authorizing Standard Contractual Clauses. The GDPR's one-stop-shop mechanism designates lead supervisory authorities for cross-border processing, with the lead authority coordinating with concerned authorities. Supervisory authorities cooperate through the European Data Protection Board, which ensures consistent application across the EU. Organizations should: identify their relevant supervisory authorities, monitor published guidance and decisions, consult supervisory authorities when required or advisable, and cooperate with investigations while asserting appropriate legal rights.