EU GDPR – Article 55 (Competence)

Abstract

General Data Protection Regulation (GDPR) establishes a clear enforcement structure across the European Union. Article 55 focuses on the competence of supervisory authorities. In simple terms, it defines which national data protection authority has the legal power to act within its territory. Every Member State must ensure that its supervisory authority is competent to carry out the tasks and exercise the powers assigned under the Regulation. This provision prevents confusion about jurisdiction and ensures that individuals and organizations know which authority oversees data protection matters in a particular country. It is a foundational rule that supports consistent enforcement while respecting national boundaries.

Explanation

Article 55 states that each supervisory authority is competent to perform the tasks and exercise the powers conferred on it within the territory of its own Member State. These tasks and powers are described throughout the GDPR, including monitoring compliance, handling complaints, conducting investigations, and imposing corrective measures or administrative fines.

The rule is territorial. A supervisory authority’s competence generally applies within its national borders. For example, a data protection authority in France oversees processing activities occurring within France.

However, Article 55 must be understood alongside other GDPR provisions, particularly the “one-stop-shop” mechanism under cross-border processing rules. While Article 55 establishes national competence, cross-border cases may require coordination with a lead supervisory authority under Articles 56 and 60.

Article 55 also clarifies that supervisory authorities are not competent to supervise processing operations of courts acting in their judicial capacity. This protects judicial independence while ensuring accountability through other mechanisms.

In practice, Article 55 ensures that:

1. Each Member State has a functioning, empowered supervisory authority.
2. There is clarity on which authority can act.
3. Enforcement remains structured and legally predictable.

Key Points

1. Each supervisory authority is competent within its own Member State.
2. Competence covers all tasks and powers granted under the GDPR.
3. Territorial scope is the general rule.
4. Cross-border processing may shift competence to a lead supervisory authority.
5. Courts acting in their judicial capacity are excluded from supervisory authority oversight.
6. Article 55 supports legal certainty and structured enforcement.

General Activation Steps

If you are an organization assessing supervisory authority competence under Article 55, the process typically follows these steps:

1. Identify the location of processing activities: Determine where personal data is processed and where your establishment operates.
2. Determine your main establishment (if applicable): If operating in multiple EU Member States, identify your main establishment to understand potential lead authority involvement.
3. Confirm the relevant supervisory authority: Identify the national data protection authority responsible for your Member State.
4. Assess whether processing is cross-border: If data processing affects individuals in multiple Member States, cross-border rules may apply.
5. Engage with the competent authority when required: In cases of data breaches, complaints, or investigations, communicate with the appropriate supervisory authority.
6. Document jurisdictional decisions: Keep internal records explaining why a particular authority is competent in your case.

Use Cases

1. Local Business Operating in One Member State: A company established and operating only in Spain processes customer data solely within Spain. Under Article 55, the Spanish supervisory authority is competent to monitor and enforce compliance. There is no cross-border complication.
2. Data Breach Notification: If a German company experiences a data breach affecting German residents only, it must notify the German supervisory authority. Article 55 confirms that the German authority is competent to handle the case.
3. Complaint Handling: An individual files a complaint about a company based in Italy. The Italian supervisory authority is competent to investigate and take corrective action.
4. Cross-Border Processing Scenario: A multinational company headquartered in Ireland processes personal data of users across several EU countries. While Article 55 establishes territorial competence, Article 56 introduces the concept of a lead supervisory authority, likely the Irish authority in this example. Coordination mechanisms then apply.
5. Judicial Processing: If a court processes personal data in the context of a legal proceeding, supervisory authorities are not competent to supervise that activity. Judicial independence is maintained through separate legal frameworks.
6. Public Sector Oversight: A municipal authority in the Netherlands processes citizen records. The Dutch supervisory authority is competent to supervise compliance under Article 55.

Dependencies

Article 55 does not operate in isolation. Its application depends on several related GDPR provisions:

1. Article 51 – Establishment of Supervisory Authorities: Each Member State must establish an independent supervisory authority. Without this foundation, competence under Article 55 cannot function.
2. Article 56 – Competence of the Lead Supervisory Authority: In cross-border cases, competence may shift to a lead authority. Article 55 sets the baseline, while Article 56 refines it.
3. Article 57 – Tasks of Supervisory Authorities: Defines what authorities must do, including monitoring, promoting awareness, and handling complaints.
4. Article 58 – Powers of Supervisory Authorities: Grants investigative, corrective, and advisory powers. Article 55 confirms that authorities are competent to exercise these powers.
5. Article 60 – Cooperation Mechanism:.Cross-border cases require cooperation among supervisory authorities. Article 55’s territorial rule interacts with this cooperation framework.
6. National Law Frameworks: Member States may adopt national provisions to structure procedural rules, as long as they align with GDPR requirements.

Tools and Technologies

Supervisory authorities rely on various tools and systems to exercise their competence effectively. These include:

1. Case Management Systems: Digital platforms to register complaints, track investigations, and manage enforcement actions.
2. Secure Communication Platforms: Used for cooperation between supervisory authorities across Member States, especially in cross-border cases.
3. Data Breach Notification Portals: Online systems allowing organizations to notify supervisory authorities quickly and securely.
4. Investigation Software: Forensic and auditing tools used to assess compliance with data protection principles.
5. Risk Assessment Frameworks: Methodologies to evaluate the impact of processing activities and prioritize enforcement efforts.
6. Reporting and Analytics Tools: Used to analyze complaint trends, sector risks, and recurring compliance issues.
7. Public Awareness Platforms: Websites, guidance documents, and online training resources to help organizations understand their obligations.

Let’s Wrap

Article 55 of the GDPR provides clarity about which supervisory authority has the legal power to act. By establishing territorial competence, it creates a structured and predictable enforcement environment across the EU.

For organizations, understanding Article 55 means knowing which authority oversees your activities, where to submit breach notifications, and how complaints may be handled. For individuals, it ensures there is always a national authority responsible for protecting their data rights.

Although cross-border processing adds complexity through the lead supervisory authority mechanism, Article 55 remains the starting point. It anchors enforcement within national boundaries while fitting into the broader European cooperation framework.

In short, Article 55 ensures that supervisory authorities are not just established in theory but are clearly empowered and competent to perform their duties under the GDPR.

---

For further reading:

• EU GDPR – Article 54 (Rules on the Establishment of the Supervisory Authority)
• EU GDPR – Article 53 (General Conditions for the Members of the Supervisory Authority)
• EU GDPR – Article 52 (Independence)
• EU GDPR – Article 51 (Supervisory Authority)
• EU GDPR – Article 50 (International Cooperation for the Protection of Personal Data)
• EU GDPR – Article 49 (Derogations for Specific Situations)
• EU GDPR – Article 48 (Transfers or Disclosures Not Authorized by Union Law)
• EU GDPR – Article 47 (Binding corporate rules)
• EU GDPR – Article 46 (Transfers Subject to Appropriate Safeguards)
• EU GDPR – Article 45 (Transfers on the Basis of an Adequacy Decision)
• EU GDPR – Article 44 (General Principle for Transfers)
• EU GDPR – Article 43 (Certification Bodies)
• EU GDPR – Article 42 (Certification)
• EU GDPR – Article 41 (Monitoring of Approved Codes of Conduct
• EU GDPR – Article 40 (Codes of Conduct)
• EU GDPR – Article 39 (Tasks of the Data Protection Officer)
• EU GDPR – Article 38 (Position of the Data Protection Officer (DPO))