Overview

This article establishes that each supervisory authority is competent to perform GDPR-related tasks and exercise powers within its own Member State. Certain exceptions apply, including courts acting in a judicial capacity and specific processing activities carried out by public authorities or private bodies as defined under GDPR.


Key Principles

  • Territorial Competence: Supervisory authorities operate within the jurisdiction of their Member State.

  • Task Authority: Authorities have the power to monitor and enforce GDPR compliance locally.

  • Exceptions: Judicial bodies and certain public or private processing activities may fall outside the authority’s competence.

  • Accountability: Authorities must act within their legal and territorial scope while ensuring compliance.

Organizational Applicability

This article applies to:

  • Supervisory authorities established in each EU Member State.

  • Controllers and processors subject to the authority’s oversight within the Member State.

  • Teams managing compliance, enforcement, and local GDPR regulatory actions.

Implementation Requirements

  • Define the scope and limits of the supervisory authority’s powers.

  • Establish procedures for exercising authority over controllers and processors within the Member State.

  • Identify exceptions for courts and specific processing activities.

  • Maintain documentation of jurisdictional boundaries and responsibilities.

Implementation Guidance

  • Clearly communicate the authority’s competence and limits to organizations and stakeholders.

  • Coordinate with other Member State authorities where cross-border processing is involved.

  • Train staff on jurisdictional rules, exceptions, and enforcement powers.

  • Periodically review and update competence policies to reflect regulatory or organizational changes.

Periodic Review

  • Frequency: Annually or when changes in jurisdiction, law, or processing activities occur.

  • Responsible Role: Supervisory authority leadership, Compliance Team, or Legal.

  • Outcome: Ensure clarity of competence, proper enforcement within scope, and recognition of exceptions.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover for supervised entities.

  • Legal Exposure: Challenges to authority actions outside its competence.

  • Reputational Damage: Loss of trust due to overreach or misapplication of authority powers.

  • Operational Risk: Misunderstanding competence boundaries may affect enforcement and cross-border coordination.