SkarpChapter 3 of 13
EU Institutions, Regulators and the Data Protection Landscape
Step into the institutional machinery behind EU privacy law and see how the Parliament, Council, Commission, EDPB and national authorities shape, interpret and enforce GDPR across Europe.
Step 1 – Mapping the EU Privacy Powerhouse
The GDPR Ecosystem
GDPR is the central EU data protection law, in force since May 2018. Around it is an ecosystem of institutions that create, interpret and enforce the rules across all EU Member States.
Who Does What?
- Parliament + Council (with Commission proposals) create and update EU data protection laws.
- The Commission also monitors application and can bring infringement actions against Member States.
Enforcers and Coordinators
- National supervisory authorities (SAs) enforce GDPR in each country.
- The EDPB coordinates SAs and issues guidance.
- The EDPS supervises EU institutions and sits on the EDPB.
Exam Mindset
Keep asking: Who does what in this ecosystem? And in any scenario, which body would a controller, processor or data subject actually deal with?
Step 2 – How EU Institutions Make Data Protection Law
Ordinary Legislative Procedure
Most EU data protection laws use the ordinary legislative procedure. The Commission proposes, then Parliament and Council act as equal co‑legislators to adopt the final text.
Commission’s Role
The Commission drafts the initial proposal (for GDPR this was in 2012), usually led by DG JUST. It consults stakeholders and performs impact assessments before sending the draft to Parliament and Council.
Parliament’s Role
Parliament, through a lead committee (LIBE for GDPR), debates and amends the proposal, then adopts a position in plenary. It represents EU citizens in the law‑making process.
Council’s Role
The Council represents Member State governments. It works in working parties and at ministerial level, adopts its own position, and negotiates with Parliament on a compromise text.
Trilogues and Adoption
Parliament, Council and Commission negotiate in trilogues. Once they agree, Parliament and Council formally adopt the Regulation. GDPR was adopted in 2016 and has applied since 2018.
Step 3 – Example: From Idea to GDPR Article
The Problem
Real‑world security incidents showed companies were hiding data breaches. Individuals suffered harm without ever being informed. Stakeholders called for mandatory breach notification.
Commission Proposes
The Commission consulted, assessed impacts and proposed GDPR rules obliging controllers to notify supervisory authorities and, in serious cases, affected data subjects.
Parliament and Council Negotiate
Parliament pushed for strict deadlines and strong rights; the Council wanted realism and flexibility. In trilogues they reached a compromise that balanced both concerns.
Result: Articles 33–34 GDPR
The final text requires notification "without undue delay" and, where feasible, within 72 hours. This shows how a concrete policy concern becomes a specific GDPR obligation.
Step 4 – National Supervisory Authorities: Front‑Line Enforcers
Supervisory Authorities
Each EU Member State must have at least one independent supervisory authority (SA) responsible for monitoring and enforcing GDPR. Examples include CNIL in France and the Irish DPC in Ireland.
Legal Basis and Mandate
Articles 51–59 GDPR require SAs to be independent and well‑resourced. They monitor GDPR application, promote awareness, advise governments, and handle complaints from data subjects.
Investigative and Corrective Powers
SAs can demand information, conduct audits and access premises. They can issue warnings, order compliance or erasure, ban processing and impose administrative fines under Article 83.
Advisory Role and Independence
SAs approve tools like BCRs, advise on draft laws, and often issue national guidance. They must be free from external influence and are typically accountable through published reports and court review.
Step 5 – Match the Scenario to the Supervisory Authority Power
For each scenario, decide which type of SA power is mainly being used: investigative, corrective, or advisory.
- A controller refuses to provide detailed records of processing activities, and the SA orders it to hand them over within 10 days.
- After an investigation, the SA orders a company to stop using a certain tracking technology and imposes a fine.
- The national parliament asks the SA for input on a draft law about police use of facial recognition.
Your task:
- Write down (or say out loud) which category fits each scenario.
- Then check yourself against the solution below.
Solution (self‑check):
- Ordering records of processing activities → Investigative power.
- Ordering a ban + fine → Corrective power (plus the linked power to impose administrative fines).
- Giving input on a draft law → Advisory power.
If you mis‑matched any, revisit Articles 57–58 GDPR and try to phrase each power in your own words.
Step 6 – The European Data Protection Board (EDPB)
What is the EDPB?
The EDPB, created by Articles 68–76 GDPR, replaced the old Article 29 Working Party. It ensures consistent application of GDPR across the EU and acts independently.
Who Sits on the EDPB?
The EDPB is made up of the heads of national supervisory authorities plus the EDPS. The European Commission participates but has no voting rights.
Guidance and Consistency
Under Article 70, the EDPB issues guidelines and recommendations on GDPR and runs the consistency mechanism to avoid conflicting national interpretations.
Opinions and Binding Decisions
The EDPB gives opinions on draft SA decisions and approves EU‑wide codes and certifications. In disputes, it can adopt binding decisions under Article 65 that SAs must follow.
Step 7 – The European Data Protection Supervisor (EDPS)
Who is the EDPS?
The EDPS is the independent data protection authority for EU institutions, bodies, offices and agencies, governed mainly by Regulation (EU) 2018/1725.
What Does the EDPS Supervise?
It oversees data processing by the Commission, Parliament, Council and EU agencies such as Europol and Frontex, not by private companies in Member States.
Functions of the EDPS
The EDPS monitors compliance, investigates, and can take corrective action. It also advises EU institutions on new laws and policies affecting privacy.
EDPS and EDPB
The EDPS is a full member of the EDPB and hosts its secretariat, helping to shape EU‑wide guidance and dispute resolution on GDPR.
Step 8 – One‑Stop‑Shop and the Lead Supervisory Authority
What is One‑Stop‑Shop?
For cross‑border processing, GDPR lets a controller or processor usually deal with just one main authority: the lead supervisory authority (LSA), under Articles 56 and 60–67.
Finding the Lead SA
The lead SA is normally the authority where the controller’s or processor’s main establishment in the EU is located, i.e. where key decisions about processing are made.
Lead and Concerned SAs
The LSA leads investigations and decisions. Other authorities whose residents are affected are concerned SAs. They cooperate with the LSA by sharing information and views.
Scope and Limits
One‑stop‑shop only applies to cross‑border processing. Local‑only processing stays with the local SA. Law‑enforcement and some special sectors follow separate regimes.
Step 9 – Example: One‑Stop‑Shop in Action
EuroSocial’s Main Establishment
EuroSocial, a social media platform, has its EU headquarters and decision‑making centre in Ireland, with large user bases in Germany, France and Spain.
Lead and Concerned SAs
Ireland’s DPC is the lead SA for EuroSocial. The German, French and Spanish authorities are concerned SAs because many of their residents use the service.
Complaint Handling
A German user complains to the German SA, which forwards the case to the Irish DPC. The DPC leads the investigation but cooperates with the concerned authorities.
Escalation to the EDPB
If SAs disagree on the draft decision, the case can go to the EDPB, which may adopt a binding decision under Article 65 to resolve the dispute.
Step 10 – Quick Check: Who Does What?
Test your understanding of the main institutions and mechanisms.
A company with its main EU establishment in Spain runs the same online service in all Member States. A French user complains about unlawful profiling. Which authority is normally responsible for leading the investigation under GDPR?
- The European Data Protection Supervisor (EDPS)
- The Spanish supervisory authority as lead SA
- The French supervisory authority as local SA only
- The European Data Protection Board (EDPB)
Show Answer
Answer: B) The Spanish supervisory authority as lead SA
Because the processing is cross‑border and the company’s main establishment is in Spain, the Spanish supervisory authority is the lead supervisory authority (Article 56). The French SA is a concerned SA. The EDPS supervises EU institutions, and the EDPB steps in mainly for guidance and dispute resolution, not as the first‑line investigator.
Step 11 – Flashcard Review
Use these flashcards to reinforce key terms from this module.
- Ordinary Legislative Procedure (OLP)
- The main EU law‑making process where the European Parliament and the Council act as co‑legislators on the basis of a proposal from the European Commission.
- Supervisory Authority (SA)
- An independent public authority in each Member State responsible for monitoring and enforcing GDPR, handling complaints and advising on data protection matters.
- Investigative Powers (of SAs)
- Powers that allow SAs to gather information and evidence, such as requesting records, conducting audits and accessing premises and equipment.
- Corrective Powers (of SAs)
- Powers that allow SAs to change or stop unlawful processing, including warnings, reprimands, orders to comply, processing bans and administrative fines.
- European Data Protection Board (EDPB)
- The EU‑level body composed of national SAs and the EDPS that issues GDPR guidance, runs the consistency mechanism and adopts binding decisions in certain disputes.
- European Data Protection Supervisor (EDPS)
- The independent authority that supervises data protection compliance within EU institutions, bodies, offices and agencies and participates in the EDPB.
- Lead Supervisory Authority (LSA)
- The SA that acts as the main point of contact for a controller or processor engaged in cross‑border processing, usually where the main establishment is located.
- One‑Stop‑Shop Mechanism
- GDPR system allowing controllers and processors engaged in cross‑border processing to deal primarily with a single lead supervisory authority instead of many national SAs.
- Consistency Mechanism
- Procedures under GDPR (Articles 63–67) to ensure consistent application of the Regulation, including EDPB opinions and binding decisions in cross‑border cases.
Key Terms
- Corrective Powers
- Supervisory authority powers used to correct or sanction infringements, including warnings, orders, bans on processing and administrative fines.
- One‑Stop‑Shop
- A GDPR mechanism that allows organisations engaged in cross‑border processing to interact mainly with a single lead supervisory authority rather than multiple SAs.
- Main Establishment
- Under GDPR, the place in the EU where a controller or processor has its central administration or where key decisions about the purposes and means of processing are taken.
- Investigative Powers
- Supervisory authority powers used to obtain information and evidence, such as requests for information, audits and on‑site inspections.
- Consistency Mechanism
- GDPR procedures designed to ensure consistent interpretation and application across the EU, including EDPB opinions and binding decisions in cross‑border cases.
- Supervisory Authority (SA)
- An independent public authority in an EU Member State tasked with monitoring and enforcing GDPR, promoting awareness, handling complaints and advising on data protection.
- Lead Supervisory Authority (LSA)
- The supervisory authority that leads supervision of a controller or processor engaged in cross‑border processing, usually where the organisation has its main EU establishment.
- Ordinary Legislative Procedure (OLP)
- The standard EU law‑making process where the European Parliament and the Council jointly adopt legislation on the basis of a proposal from the European Commission.
- European Data Protection Board (EDPB)
- The EU‑level body composed of the heads of national SAs and the EDPS that issues guidance, coordinates enforcement and ensures consistent application of GDPR.
- European Data Protection Supervisor (EDPS)
- The independent authority responsible for supervising data protection within EU institutions, bodies, offices and agencies under Regulation (EU) 2018/1725.