Europe’s Data Protection Authorities

The General Data Protection Regulation, or GDPR, called for national or regional Supervisory Authorities to be erected since the European Commission cannot keep an eye on all member states at the same time. The processing of personal data does not always stay within country borders anymore, meaning that multiple Supervisory Authorities can be involved, which can make it confusing which supervisor an organization is accountable to. For the convenience of international organisations, we created the following overview of all authorities.

What is a Supervisory authority?

As you can read in our ten step guide to GDPR compliance, one of the steps for compliance is understanding which supervisory authority is used. You need to report data breaches to the right authorities, and if you have a data protection officer you need to register this officer at the right authority.

The Authorities

All 28 European Member States have a Data Protection Authority, which all have their own website. Below we have compiled a list of all the Member States, the name of their DPA, and a link to the respective websites.

The findings

The EC website
The European Commission’s website, the official source of the GDPR and data protection information, is not protected by https. We ran an SSL report using www.ssllabs.com which did show all six servers being graded a B for security. Even though a B is not bad at all, we think that the official GDPR website should have nothing less than full protection and an A+ on its report card.

The European supervisor
The European Union is not a country, but it does have several bodies and institutions. For this reason, a European Data Protection Authority has been established. They supervise the processing activities of, among others, the CJEU and ECB and solve disputes among other DPA’s

HTTPS
We (and other experts) recommend the use of https for all websites. Https was a problem for many Data Protection Authority websites as well. The Cypriotic, Estonian, Greek, Hungarian, Irish(new), Latvian, and Romanian DPA websites were not protected by https.

English version
Many authorities provide information in English to help international website visitors. The Cypriotic, Danish, German, Hungarian, and Spanish DPA’s have no English version of their website.

Regional supervisors
As stated in Article 51, the GDPR also allows for regional Supervisory Authorities to be established. Of all member states, Germany is the only one to have implemented it. They have done it as follows:

Article 51.3 states that when an EU Member State establishes multiple Supervisory Authorities, there should be one main authority that represents all other authorities in the Board and makes sure its subservients follow the collaboration rules set out in Section II of the GDPR. In the case of Germany, this authority is the BFDI, which also oversees all federal authorities and organizations, telecommunication, and postal services companies. Germany has 16 states, or Bundesländer, which all have their own Data Protection Authority.

Tracking
Of the 29 DPA’s, only 11 had no tracking cookies on their website at all. 11 websites contained 1 tracker, and 7 contained more than 1 tracker. The highest number of trackers we found were on the Latvian website, 8. Even though it did not have the most trackers, the French DPA website contained a Facebook tracker, and several other sites contained a Twitter tracker.

Other findings

• The Spanish website seems to have multiple language option, but they are not clickable. After some website digging it seems English and Basque are also options, but the links are not to English or Basque pages… We think these versions just do not exist (yet).
• The Croatian website tried to run unsafe scripts, and contains 7 possible trackers
• On the new Irish DPA website, the GDPR part is still under construction. The old website has marked all GDPR matters with NEW and is functional, but the new website (gdprandyou.ie) has no https and is still anticipating the GDPR on May 25th.

Which DPA to contact?

When your organization performs cross-border data procession, multiple DPA’s are concerned and it might get confusing which authority is your one-stop-shop address, also known as the Lead Supervisory Authority. This is how it works:

You are established in only one EU Member state
In Germany
Are you a federal organization or authority, telecommunications, or postal company? Then the national DPA DFDI is your DPA. Otherwise, to find your state’s DPA contact details, check
https://www.datenschutz-wiki.de/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte

In the rest of Europe
The DPA of this country is your Lead Supervisory Authority.

You are established in multiple Member States
The means and purposes for processing are determined in only one establishment
When the means and purposes for processing are determined in only one establishment, the GDPR treats this as your main establishment, making its DPA the Lead Supervisory Authority.

The means and purposes for processing are determined in more than one establishment
If the means and purposes for processing are determined in more than one establishment, multiple Lead Supervisory Authorities might arise. This is often the case with multinationals where choices about different processing activities are made in different countries. In this case, each country (or in Germany state) supervises the processing activities determined there.

You are established outside of the EU
Should your main establishment be outside of the EU but you are active in the EU, the situation becomes less simple. In this case, you must deal with the DPA of every member state you are active in, or empower a European establishment to become the main establishment.

Final thoughts

We were pleasantly surprised with the Finnish DPA website. It contained tons of information, and all of it in Finnish, English, and Swedish. We recommend anyone to check this website.

Image credit: @kingschurchinternational via Unsplash