‘Each Member State shall provide for one or more independent public authorities to be responsible for
monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms
of natural persons in relation to processing and to facilitate the free flow of personal data within the
Union (“supervisory authority”).’
17
In accordance with Article 55(1) of the GDPR, ‘each supervisory authority shall be competent for the
performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with
this Regulation on the territory of its own Member State’.
18
Article 57(1) of that regulation states as follows:
‘Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its
territory:
(a)
monitor and enforce the application of this Regulation;
…
(f)
handle complaints lodged by a data subject … and investigate, to the extent appropriate, the
subject matter of the complaint and inform the complainant of the progress and the outcome of
the investigation within a reasonable period, in particular if further investigation or coordination
with another supervisory authority is necessary;
…’
19
According to Article 58(2) and (4) of the GDPR:
‘2.
Each supervisory authority shall have all of the following corrective powers:
…
(f)
to impose a temporary or definitive limitation including a ban on processing;
…
(j)
to order the suspension of data flows to a recipient in a third country or to an international
organisation.
…
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be
subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union
and Member State law in accordance with the Charter.’
20
Article 64(2) of the GDPR states:
‘Any supervisory authority, the Chair of the [European Data Protection Board (EDPB)] or the
Commission may request that any matter of general application or producing effects in more than one
Member State be examined by the Board with a view to obtaining an opinion, in particular where a
competent supervisory authority does not comply with the obligations for mutual assistance in
accordance with Article 61 or for joint operations in accordance with Article 62.’
21
Under Article 65(1) of the GDPR:
‘In order to ensure the correct and consistent application of this Regulation in individual cases, the
Board shall adopt a binding decision in the following cases:
…