OneTrust GDPR Deep Dive Series Chapter 6: Independent Supervisory Authorities

Chapter 6 outlines the Member States’ requirements in the creation, powers, and obligations of independent supervisory data protection authorities (DPA).

Member States must appoint one or more DPAs to implement the GDPR and protect the fundamental rights of individuals.

The data protection authorities must ensure uniform application of the Regulation across the European Union. In principle, this ensures that organisations operating across Member State jurisdictions would not face difficulties with differing interpretations of the law.

Finally, this chapter broadly outlines the duties of the DPA, which include, but not limited to: monitoring and enforcement, promoting public awareness, informing controllers and processors of obligations under the Regulation, approve binding corporate rules, and conducting investigations on behalf of data subjects.

Compared to the Data Protection Directive, the powers and responsibilities of the DPA remain relatively unchanged. The main difference is the development of a consistency mechanism allowing for uniformity across Member State jurisdictions.

Chapter 6 Sections, Articles & Descriptions

Section 1 –– Independent status

Article 51: Supervisory authority
Article 52: Independence
Article 53: General conditions for the members of the supervisory authority
Article 54: Rules on the establishment of the supervisory authority

Section 2 –– Competence, tasks and powers

Article 55: Competence
Article 56: Competence of the lead supervisory authority
Article 57: Tasks
Article 58: Powers
Article 59: Activity reports


GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.