Supervisory authorities — the national data protection authorities (DPAs) of each EU/EEA member state — are the primary enforcement mechanism of GDPR. They investigate complaints, conduct audits, issue guidance, impose fines, and coordinate cross-border enforcement actions. Understanding how DPAs operate, what triggers an investigation, and how the one-stop-shop mechanism works for organisations with operations in multiple member states is essential for any organisation building a GDPR compliance programme.
DPAs vary significantly in their resources, priorities, and enforcement styles. The Irish DPC, as lead supervisory authority for most major US tech companies with EU headquarters in Dublin, has handled some of the largest enforcement actions in GDPR history. The German state-level DPAs have a strong track record of technical enforcement. The French CNIL has been active on cookie compliance and algorithmic transparency. Understanding which DPA leads for your organisation, and how it approaches enforcement, is part of operational compliance planning.
DPA Powers Under GDPR
Article 58 of GDPR grants supervisory authorities three categories of power: investigative powers, corrective powers, and advisory and authorisation powers. The investigative powers allow DPAs to compel the production of information, conduct audits, and access any personal data and information necessary for their inquiries. Corrective powers range from issuing warnings to imposing bans on processing and levying administrative fines.
DPA POWERS — CATEGORIES AND SCOPE
| Power Category | Specific Powers | Practical Implication |
|---|---|---|
| Investigative (Art. 58(1)) | Order controller/processor to provide information; conduct data protection audits; carry out reviews of certifications; obtain access to all personal data and information; access any premises including processing equipment | DPA can compel production of any compliance documentation; can inspect systems and premises; cannot be refused access without legal justification |
| Corrective (Art. 58(2)) | Issue warnings; issue reprimands; order compliance; order communication with data subjects; impose a temporary or permanent ban on processing; suspend data flows to third countries; impose administrative fines | Range from advisory to prohibitory; fines up to €20M or 4% global turnover; processing ban is most operationally severe |
| Advisory and authorisation (Art. 58(3)) | Issue opinions on draft legislation; issue certifications; adopt standard data protection clauses; approve BCRs; authorise contractual clauses; approve codes of conduct | DPA is not only an enforcement body; advisory and approval role critical for BCRs, codes of conduct, and cross-border transfers |
The One-Stop-Shop Mechanism
For organisations with establishments in more than one EU/EEA member state, GDPR’s one-stop-shop mechanism provides that the DPA in the country of the organisation’s main establishment acts as the lead supervisory authority for cross-border processing. The lead DPA is the primary point of contact and the lead authority for cross-border enforcement actions, subject to the cooperation and consistency mechanisms that involve concerned DPAs.
ONE-STOP-SHOP — KEY CONCEPTS
| Concept | Definition | How It Works in Practice |
|---|---|---|
| Main establishment | Place of central administration in the EU; or, for processors, the place of central administration; where substantive decisions about processing are made | Usually EU headquarters; not where the data is stored; assessment focuses on where management decisions about processing are made |
| Lead supervisory authority (LSA) | The DPA of the member state where the main establishment is located | The LSA handles cross-border complaints, coordinates investigations, and issues the binding enforcement decision |
| Concerned supervisory authority (CSA) | Any DPA of a member state where data subjects are affected or where there is an establishment involved in the processing | CSAs receive the LSA’s draft decision; can raise objections; must cooperate in the enforcement process |
| Cooperation procedure (Art. 60) | LSA shares draft decision with CSAs; CSAs have four weeks to raise objections; if objections raised, consistency mechanism (EDPB) may be triggered | Delays enforcement decisions in complex cross-border cases; CSA objections can result in materially different outcome than LSA’s original position |
| Urgency procedure (Art. 66) | Any DPA can adopt provisional measures effective for maximum three months where urgent action needed to protect data subjects’ rights | Used in exceptional cases where cross-border cooperation process would cause unacceptable delay; effective immediately but time-limited |
| IMPORTANT | The one-stop-shop mechanism applies to cross-border processing — processing that takes place in several member states or substantially affects data subjects in several member states. It does not apply to purely local processing. Where an organisation has multiple EU establishments but processes data only in one country and affects data subjects only in that country, the local DPA handles the matter, not the DPA of the main establishment. |
The European Data Protection Board
The European Data Protection Board is an independent EU body that ensures consistent application of GDPR across member states. It is composed of the heads of each national DPA and the European Data Protection Supervisor. The EDPB issues binding decisions in disputes between DPAs, publishes guidelines and recommendations, and adopts opinions on matters of consistency. For organisations, the EDPB’s guidelines are the most authoritative interpretation of GDPR obligations short of a CJEU ruling.
EDPB KEY FUNCTIONS AND OUTPUTS
| Function | What It Produces | Relevance to Controllers |
|---|---|---|
| Consistency mechanism (Art. 63-67) | Binding decisions resolving disagreements between DPAs on cross-border enforcement | Where LSA and CSA disagree, EDPB’s binding decision sets the outcome; creates binding precedent |
| Guidelines and recommendations | Non-binding but highly authoritative interpretations of GDPR obligations (e.g., on consent, cookies, data subject rights, transparency) | DPAs treat EDPB guidelines as minimum standards; non-compliance with guidelines creates enforcement risk |
| Opinions on equivalence | Opinions on adequacy decisions proposed by the European Commission | Informs adequacy decision process; EDPB critical opinion can delay or prevent adequacy adoption |
| Codes of conduct and certification | Approval of EU-level codes of conduct; approval of certification criteria | Sector-wide compliance frameworks; organisations adopting approved codes gain enforcement benefit |
| Annual report | Public report on GDPR enforcement across member states; aggregated fine and complaint statistics | Provides insight into DPA enforcement priorities and emerging compliance focus areas |
What Triggers a DPA Investigation
DPA investigations are triggered through several routes. The most common is a complaint from a data subject who has exercised their rights and received an unsatisfactory response, or who believes their data has been mishandled. Other triggers include notified data breaches, referrals from other DPAs, media reporting, proactive sector-wide audits, and the DPA’s own intelligence and monitoring activities. Understanding the trigger is important because it shapes the scope of the investigation.
INVESTIGATION TRIGGERS AND TYPICAL SCOPE
| Trigger | Typical Scope | Likely Evidence Requested |
|---|---|---|
| Data subject complaint (rights request) | Investigation of the specific processing complaint; may expand to systemic review of rights procedures | Rights request log; response sent to data subject; exemption decisions; procedure documentation |
| Data subject complaint (transparency) | Review of privacy notice content; assessment of whether processing was disclosed; review of consent where relied on | Privacy notice version in effect; consent records; notice change log |
| Notified data breach | Review of breach investigation and response; assessment of security measures; review of notification timeliness and content | Breach register entry; incident timeline; security measures documentation; notification sent |
| Proactive sector audit | Comprehensive review of specific processing activity type across multiple organisations (e.g. cookie compliance, HR data, children’s data) | Full RoPA; DPAs; consent mechanisms; privacy notices; security documentation |
| Media reporting of data incident | Investigation of specific incident reported; may expand to broader processing review | Specific incident documentation; broader evidence portfolio if scope expands |
| Referral from another DPA | Subject to cooperation procedure; scope determined by lead DPA in consultation with referring DPA | Determined by lead DPA; full accountability evidence portfolio likely required |
Responding to a DPA Investigation
When a DPA opens an investigation, the organisation’s response — both the quality of its evidence and its manner of engagement — materially affects the outcome. DPAs are required by Article 83(2) to take into account cooperative behaviour with the supervisory authority when determining fines. Conversely, obstruction or non-responsive engagement is an aggravating factor.
DPA INVESTIGATION RESPONSE — BEST PRACTICES
| Stage | Best Practice | What to Avoid |
|---|---|---|
| Initial notification | Acknowledge receipt promptly; identify the lead internal contact (usually DPO); notify senior management; engage external legal counsel if scope is broad | Ignoring or delaying the initial response; assigning to junior staff without escalation |
| Evidence compilation | Pull all relevant documentation from compliance records; review the evidence before providing it; do not create documentation retrospectively | Creating or backdating records after investigation opens; providing incomplete information hoping gaps are not noticed |
| Legal privilege considerations | Identify communications with external legal counsel that may be privileged; flag before disclosure; do not withhold non-privileged documents on grounds of commercial sensitivity | Withholding non-privileged documents; over-claiming privilege on documents that do not qualify |
| DPA liaison | Engage cooperatively and transparently; respond to information requests within deadlines; proactively flag anything the DPA may need to know | Adversarial engagement; technical non-answers; missing DPA deadlines without explanation |
| Remediation during investigation | If gaps are identified during the investigation, remediate them; inform the DPA of remediation steps taken | Waiting for DPA to order remediation; failing to address identified gaps |
| Draft decision review | Review LSA’s draft decision carefully; exercise right to comment on factual inaccuracies; engage in cooperation procedure if CSAs are involved | Failing to engage in draft decision review; missing the opportunity to correct factual errors |
| BITLION INSIGHT | The DPA investigation process in most member states is not adversarial by design. DPAs are not primarily trying to impose the maximum fine — they are trying to bring processing into compliance and deter future violations. Organisations that engage cooperatively, demonstrate that their compliance programme was genuine (even if it had gaps), and commit credibly to remediation consistently achieve better outcomes than those that approach investigations as litigation to be defended. The accountability principle is not just a compliance obligation — it is a template for how to survive the regulatory process when things go wrong. |