An independent public authority established by a Member state under GDPR Article 51 (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

The GDPR provides national supervisory authorities with significant powers to enforce its provisions, including:

Controllers must notify any personal data breach to their national supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach (Article 33(1), GDPR).

Data subjects have a right to be informed by the controller of their right to lodge a complaint with the supervisory authority (Articles 13(2)(d) and 14(2)(e), GDPR). Data subjects have a right to lodge a complaint with the supervisory authority (Article 77, GDPR). They also have a right to an effective judicial remedy against a supervisory authority and against infringing controllers and processors (Articles 78 and 79).

Supervisory authorities are required to co-operate with each other and with the European Data Protection Board (EDPB) to ensure the consistent enforcement of the GDPR (Articles 60 to 76, GDPR).

See Practice note, Overview of EU General Data Protection Regulation.