Supervision: DPAs, the EDPB, EDPS & the One-Stop-Shop

Rules need enforcers, and the GDPR has a layered set of them. At national level, Article 51 requires each member state to have one or more independent supervisory authorities, the Data Protection Authorities or DPAs, such as France's CNIL, Germany's state authorities, or Ireland's Data Protection Commission. At EU level, the European Data Protection Board, the EDPB, coordinates the national authorities to keep enforcement consistent.

And separately, the European Data Protection Supervisor, the EDPS, supervises how the EU's own institutions and bodies process data, under its own regulation. The exam tests who does what, so keep the DPAs, the EDPB, and the EDPS straight in your mind.

Article 58 gives supervisory authorities three families of powers, and the exam likes to test the categories. First, investigative powers: to order the provision of information, carry out audits and investigations, and obtain access to data and premises. Second, corrective powers: to issue warnings and reprimands, order a controller to comply with a request or to bring processing into line, impose a temporary or permanent ban on processing, and impose administrative fines.

Third, authorisation and advisory powers: to advise controllers, approve binding corporate rules, and issue opinions. Article 52 guarantees the authorities' independence, they act free from external influence. So a DPA can investigate, then correct, including banning processing or fining, which makes it a genuinely powerful regulator.

Cross-border processing could mean answering to twenty-seven regulators at once, so the GDPR created the one-stop-shop. Under Article 56, where a controller processes data across borders, the supervisory authority of its main establishment, usually where its central administration sits, acts as the lead supervisory authority. That lead authority is the company's primary interface for the cross-border processing, and it coordinates the handling of cases.

But the lead is not alone: other concerned authorities, those whose residents are affected or who received a complaint, participate in the process and can raise objections. The exam tests both the benefit, a single lead regulator, and the limit, that other concerned authorities still have a voice. The main-establishment concept is what determines who leads, and it usually means the place of central administration in the EU, unless decisions about the processing are actually taken at another establishment, in which case that one leads.

So the exam may test you on locating the main establishment, not just naming the one-stop-shop.

Behind the one-stop-shop sits the cooperation and consistency machinery. Under Article 60, the lead authority works with the concerned authorities to try to reach consensus, aiming for a single decision that applies across the EU. When authorities disagree, for instance if a concerned authority raises a relevant and reasoned objection the lead does not accept, the consistency mechanism in Articles 63 to 67 kicks in.

The dispute goes to the European Data Protection Board, which can adopt a binding decision under Article 65 to resolve it. This is how the EU prevents twenty-seven regulators from drifting into twenty-seven different interpretations. The exam may describe a cross-border dispute and ask who breaks the tie; the answer is the EDPB through the consistency mechanism.

Finally, keep these two bodies distinct, because the exam tests the difference directly. The European Data Protection Board is the EU-level body made up of the heads of the national supervisory authorities together with the EDPS. Its job is consistency: it issues guidelines and opinions interpreting the GDPR, those very EDPB guidelines the Body of Knowledge keeps referencing, and it adopts binding decisions to settle disputes between authorities.

The European Data Protection Supervisor is a different thing: an independent supervisory authority whose job is to monitor how the EU's own institutions, agencies, and bodies process personal data, and to advise the EU legislator on privacy. So the EDPB coordinates the member-state regulators, while the EDPS polices the EU institutions and advises lawmakers. Three letters apart, two distinct roles.

So the enforcement structure is layered. National DPAs hold investigative, corrective, and advisory powers under Article 58, and they are independent. For cross-border processing, the one-stop-shop under Article 56 gives a company a single lead authority, the one at its main establishment, while concerned authorities still participate.

Disputes are resolved through the cooperation and consistency mechanisms, with the EDPB able to issue binding decisions. And remember the pairing: the EDPB coordinates the national regulators and issues guidance, while the EDPS supervises the EU institutions. Next, we cover the teeth, the fines, liability, and compensation that follow a violation.

First, go test yourself on supervision.