Overview

This article requires supervisory authorities to create and submit annual activity reports detailing GDPR infringements and measures taken under Article 58(2). Reports must be submitted to the national parliament, government, and designated authorities, made publicly available, and shared with the European Commission and the European Data Protection Board (EDPB).


Key Principles

  • Transparency: Provide detailed information on supervisory activities and enforcement measures.

  • Accountability: Document infringements and corrective actions taken by the authority.

  • Public Disclosure: Reports must be publicly accessible to promote transparency.

  • Coordination: Share reports with the Commission and the Board to ensure cross-border consistency.

Organizational Applicability

This article applies to:

  • Supervisory authorities established in each EU Member State.

  • Teams responsible for preparing, reviewing, and submitting activity reports.

  • Public and private sector entities interacting with authorities and subject to oversight.

Implementation Requirements

  • Compile annual reports summarizing infringements, investigations, and corrective measures under Article 58(2).

  • Submit reports to the national parliament, government, and designated authorities.

  • Ensure reports are publicly available and shared with the European Commission and EDPB.

  • Maintain records supporting the information included in the reports.

Implementation Guidance

  • Establish a reporting template to standardize reporting of infringements and measures.

  • Train staff on data collection, documentation, and reporting procedures.

  • Coordinate with other supervisory authorities and internal teams to ensure accurate reporting.

  • Periodically review reporting processes to enhance clarity, completeness, and compliance.

Periodic Review

  • Frequency: Annually, aligned with reporting obligations.

  • Responsible Role: Supervisory authority leadership, Compliance Team, or Legal.

  • Outcome: Ensure accurate, timely, and transparent reporting of supervisory activities.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover for supervised entities failing to comply with GDPR.

  • Legal Exposure: Enforcement or scrutiny for incomplete or inaccurate reporting.

  • Reputational Damage: Loss of public trust and credibility of the supervisory authority.

  • Operational Risk: Ineffective reporting may impair transparency and coordination with the Commission and EDPB.