Under the GDPR, SAs are endowed with a number of powers including to issue warnings of non-compliance, carry out audits, require specific remediation within a specified time frame, order erasure of data and suspend data transfers to a third country.

Supervisory Authority investigative powers include:

  • to order the controller and the processor (or applicable representative) to provide any information it requires for the performance of its tasks;
  • carry out data protection audits;
  • review certifications;
  • notify controller/processor of any alleged infringement of the GDPR;
  • obtain from controller/processor access to all personal data and all information necessary to perform its tasks; and
  • obtain access to any premises of controller and processor including data processing equipment.

Supervisory Authority corrective powers include:

  • issue warnings to controller or processor that intended processing is likely to result in infringement of the GDPR;
  • issue reprimands to a controller or processor where processing operations have infringed provisions of the GDPR;
  • order the controller or processor to bring processing operations into compliance with the GDPR (with specific direction and time period if appropriate);
  • order the controller to communicate a personal data breach to the data subject;
  • impose a temporary or definitive limitation including a ban on processing;
  • order the rectification, restriction or erasure of data or order a certification body not to issue a certificate;
  • impose administrative fines; and
  • order the suspension of data flows to a recipient in a third country or to an international organisation.

Penalties

Crucially, SAs are also empowered to issue substantial administrative fines which should be "effective, proportionate and dissuasive". Although dependent on the circumstances of each case, typically penalties will only be imposed in addition to or instead of the SAs' corrective powers.

When deciding whether or not to administer a fine, the following circumstances will be considered:

  • nature, gravity, and duration of the infringement (also with regard to the purpose of the processing and the number of data subjects affected and level of damage suffered by them);
  • intentional or negligent character of the infringement;
  • action taken by controller or processor to mitigate the damage suffered by data subjects;
  • degree of responsibility of controller or processor with regard to technical and organisational measures implemented by them;
  • any relevant previous infringements by the controller or processor;
  • degree of cooperation with the SA in order to remedy the infringement and mitigate any adverse effects;
  • categories of data affected by the infringement;
  • manner in which the infringement becomes known to the SA (in particular whether and to what extent a controller/processor notifies directly to relevant SA);
  • whether any corrective powers have previously been imposed on the controller or processor with regard to the same subject matter;
  • adherence to approved codes of conduct or approved certification mechanisms; and
  • any other aggravating or mitigating factor such as financial benefits gained, losses avoided, directly or indirectly from the infringement.

Requirements, the infringement of which can attract a fine of up to 2% of total global annual turnover or €10m (whichever is the higher), include:

  • parental consent verification in the case of processing personal data of a child (below applicable age as decided by each Member State which shall not be below 13 years);
  • informing a data subject that it is not in a position to identify such data subject if such processing does not identify data subjects;
  • implementing appropriate technical and organisational measures to ensure data protection is enshrined by design and default (i.e. implementing pseudonymisation and collecting data necessary for each specified purposes only);
  • where controllers jointly determine the purposes and means of the processing each must determine their respective responsibilities for compliance with their obligations under the GDPR;
  • where a controller or processor is not established in the EU but offers goods and services to data subjects in the EU or monitors behaviour of data subjects in the EU, the controller shall designate in writing a representative in the Union;
  • if a processor is engaged, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures. Such processor cannot enlist another processor without prior specific or general written consent;
  • processing must only occur under instructions of the data controller;
  • each controller or controller's representative shall maintain a record of processing activities under its responsibility;
  • controller, processor and each of their respective representatives if applicable shall cooperate on request with the SA in the performance of its tasks;
  • each controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
  • controller shall notify the personal data breach to the competent SA without undue delay and where feasible not later than 72 hours after having become aware of it;
  • where a data breach is likely to result in a high risk to the rights and freedoms of individuals the controller shall communicate the personal data breach to the data subject without undue delay;
  • carrying out data protection impact assessment prior to carrying out processing which is likely to result in high risk for the rights and freedoms of individuals;
  • controller shall consult the SA prior to processing of personal data where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller;
  • the controller and processor shall designate a data protection officer accordingly;
  • controller and processor shall ensure that the data protection officer is properly and without delay involved with all issues which relate to the protection of personal data;
  • ensure data protection officer complies with his or her tasks;
  • compliance with approved code of conduct of SA; and
  • compliance with certification requirements.

Requirements, the infringement of which can attract a fine of up to 4% of total global annual turnover or €20m (whichever is the higher), include:

  • personal data must be processed lawfully and fairly in a transparent manner; not considered incompatible with the initial purposes; accurate and kept in a form which permits identification of data subjects;
  • processing of personal data should be lawful;
  • controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing;
  • processing of special categories of personal data is subject to a general rule of prohibition unless certain circumstances apply;
  • controller shall provide transparent information, communication and modalities for data subjects to exercise their rights;
  • controller to provide information to data subject at the time information is collected from the data subject and/or from any other source;
  • data subject shall have the right to obtain from the controller confirmation as to whether their personal data is being processed, where it is being processed and access to it;
  • data subject shall have the right to obtain from controller the rectification of personal data where it is inaccurate;
  • the data subject shall have rights of erasure of personal data (the so called 'right to be forgotten');
  • the data subject shall have the right to obtain from the controller the restriction of processing of personal data under certain circumstances;
  • controller shall communicate any rectification, erasure or restriction of processing to each recipient of such data;
  • data subject shall have the right to receive personal data concerning him or her which has been provided to a controller in a structured, commonly used and machine readable format (i.e. data portability);
  • right to object to processing based on certain provisions (i.e. processing carried out in the public interest, legitimate interests of the controller or third party (which are not overridden by rights of data subject), direct marketing);
  • data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects or similar significant effects on the data subject;
  • legitimate transfers of personal data outside of the EU made pursuant to exemptions or derogations;
  • compliance with an order or a temporary or definite limitation on processing or the suspension by the SA pursuant to their investigatory or correcting powers (see abov