DPA stands for Data Protection Authority. DPAs are also known as national supervisory authorities. Generally, GDPR (General Data Protection Regulation) uses this term. They play a vital role in imposing data protection laws across all European Union. DPA has various duties, but the main duty is to ensure that all businesses across MS (member states) strictly follow the rules and regulations set out in GDPR.

This article will illuminate everything you need to know about data protection authority, their duties, work, selection criteria, and much more.

Therefore, without further ado, let us get started.

Let’s First Understand What Data Protection Authorities Are!

DPAs are independent public authorities that mainly protect data privacy by ensuring that all data protection laws are followed nationally. They have investigation and corrective powers. Using them, they monitor and administer the data protection law.

Besides, they have in-depth knowledge about data protection laws. Therefore, they offer advice when any data breach complaint is registered by DPA-compliant companies/businesses.

If the company fails to comply with data protection laws, then DPAs can use their corrective power and issue fines to them.

 What are The Responsibilities Of DPAs?

DPAs mainly work to enforce the data protection law. If non-compliance occurs, they offer guidance and handle the complaints properly. Here are a few responsibilities of DPAs, but they are not limited to these responsibilities only.

• Investigating the complaints registered by the organisation.
• They are responsible for public awareness about the data protection laws.
• DPAs need to advise individuals, companies, and government on data protection laws.
• They need to keep a list of illegal data processing activities.
• Administer the data protection law development.

In short, the roles and responsibilities of DPAs are broad. Here, I have covered only a few of them.

How are DPAs Selected?

Generally, DPAs are selected at a national level. National legislation usually selects them within their MS (member states). The power of DPAs is limited to that specific jurisdiction only.

To get selected as a DPA, an individual must possess the experience, expertise, qualifications, and skills to work in the field of personal data protection.

Which Powers DPAs Hold?

DPAs hold power to:

• Investigate
• Correction
• Advise
• Authorisation

Let’s check these powers one by one in brief.

• Investigation Power

Whenever any individual complains about any kind of data breach or mishandling of their personal data, DPAs have the power to investigate.

If a DPA finds any non-compliance of data, then they have the authority to investigate data controllers and processors. They can even order them to provide the necessary information to carry out the investigation.

• Corrective Power

DPA can correct breaches using different methods based on the data breach’s severity. To apply corrective measures, DPA can issue warnings or, whenever required, even ban data processing activities.

The most influential power that the DPA possess is to issue fines. They can issue fines of up to 4% of the organisation’s yearly turnover.

• Power To Give Advise And Authorise

When governments, organisations, or individuals need advice, DPAs can guide them. Besides, they even have the authority to ban any high-risk activities that are not allowed by national law.

Difference Between Data Processor and Data Controller

A data controller is a person who can have complete control over an individual’s personal information. They can process data and make the decisions.

On the flip side, data processors do not have complete responsibility or control over data. They process data on behalf of the controller.

You must know who your DPA is if your company is a data controller or data processor.

Reasons Why Businesses Should Contact DPA

Generally, businesses do not deal with a DPA directly; however, they need to contact DPA in a few circumstances. These reasons are as follows.

• A business/company needs guidance regarding personal information processing by following the data protection law. It will help companies/businesses comply with the data protection law.
• Companies must report data breaches to DPA within seventy-two hours of the breach’s occurrence.
• Sometimes, companies must contact a DPA to authorise data processing activity, which is highly risky and banned in the country where they operate.
• When a company requires help completing DPIA, they can contact DPA directly.

In a nutshell, the data processor and data collector must have an excellent relationship with DPAs.

Here, companies need to ensure that the legal advisors of their companies are highly skilled and experienced in communicating with DPAs and have profound knowledge of the power of DPAs.

One-Stop-Mechanism To Decide Which DPA to Contact

If your company is operating only in Spain, it is obvious that you will process data of only Spain citizens. In such a case, you need to contact the DPA of Spain.

However, what would happen when your consumer is in various member states? In this situation, how would you know which DPA to contact?

Here is where one-stop-mechanism comes into the picture.

Through this mechanism, businesses can find LSA – Lead Supervisory Authority. It means the company is not required to deal with multiple DPAs, but they can contact one DPA operating in the company’s central administration location (state).

Concluding Remarks – Data Protection Authorities

In summary, data protection authorities significantly ensure that all registered companies/businesses comply with the data protection laws. They will guide organisations, governments, and other members of the public regarding data protection law.

These DPAs possess four main authorities – investigation, correction, giving advice, and authorisation. If companies fail to obey data protection laws, they can fine them.

Simply put, being DPA compliant and knowing your DPA is beneficial. They can guide you well and provide valuable information regarding data protection law. In case any data breach occurs, you should contact them immediately.

Hopefully, this article has cleared all your queries and armed you with insightful information about DPA. Still, if you have any questions, please ask us in the comment section below.