Article 58 GDPR (Supervisory Authority Powers)

Article 58 of GDPR: Supervisory Authority Powers

Article 58 of GDPR lays out the supervisory authority’s powers to investigate data protection matters.

Supervisory authority investigation powers (Article 58(1) GDPR)

Each supervisory authority will have the following investigative powers:

  1. Order data controllers and data processors to provide any required information (Article 58(1)(a) GDPR)
  2. Perform data protection audits (Article 58(1)(b) GDPR)
  3. Review GDPR certifications (Article 58(1)(c) GDPR)
  4. Notify organizations infringing GDPR (Article 58(1)(d) GDPR)
  5. Order data controllers and data processors to provide it access to all their personal data (Article 58(1)(e) GDPR)
  6. Get access to any premises where data processing equipment may be held (Article 58(1)(f) GDPR)

Supervisory authority corrective powers (Article 58(2) GDPR)

In addition to its investigative powers, GDPR grants supervisory authorities with the following corrective powers:

  1. Issue warnings relating to possible infringement of GDPR (Article 58(2)(a) GDPR)
  2. Issue reprimands for GDPR infringement (Article 58(2)(b) GDPR)
  3. Order companies to comply with an individual’s exercise of his or her rights (Article 58(2)(c) GDPR)
  4. Order data processing operations be rendered compliant with GDPR within a defined timeline (Article 58(2)(d) GDPR)
  5. Demand the communication of personal data breach incidents (Article 58(2)(e) GDPR)
  6. Impose temporary or permanent restrictions on data processing (Article 58(2)(f) GDPR)
  7. Order the rectification or erasure of personal data (Article 58(2)(g) GDPR)
  8. Withdraw an organization’s certification (Article 58(2)(h) GDPR)
  9. Issue administrative finds (Article 58(2)(i) GDPR)
  10. Suspend data flow to recipients in third countries (Article 58(2)(j) GDPR)

Supervisory authority advisory powers (Article 58(3) GDPR)

The supervisory authority is also granted advisory powers under GDPR.

Such advisory power consists of:

  1. Advise organizations seeking a prior consultation (Article 58(3)(a) GDPR)
  2. Render an opinion to the parliament or EU member states related to data protection (Article 58(3)(b) GDPR)
  3. Authorize data processing if required under the law of its member state (Article 58(3)(c) GDPR)
  4. Provide its opinion and approve draft codes of conduct (Article 58(3)(d) GDPR)
  5. Perform the accreditation of certification bodies (Article 58(3)(e) GDPR)
  6. Issue certifications and approve certification criteria (Article 58(3)(f) GDPR)
  7. Adopt standard data protection clauses (Article 58(3)(g) GDPR)
  8. Authorize contractual clauses (Article 58(3)(h) GDPR)
  9. Authorize administrative arrangements (Article 58(3)(i) GDPR)
  10. Approve binding corporate rules (Article 58(3)(j) GDPR)

Effective judicial power under member state law (Article 58(4) GDPR)

For the supervisory authority to adequately exercise its powers, GDPR requires that each EU member state ensure that its supervisory authority is able to get effective judicial remedy and due process.

Power to initiate legal proceedings (Article 58(5) GDPR)

GDPR requires that each EU member state provide the legal power to the supervisory authority for the following:

  1. Bring infringement cases to the attention of the judicial authorities
  2. Engage in legal proceedings to enforce GDPR

Additional powers branded by member states (Article 58(6) GDPR)

Each member state can provide, by law, for additional powers to the supervisory authority so long as it does not affect their cooperation obligation or the consistency mechanism provided under GDPR.

Recitals applicable to Article 58 of GDPR

Relevant Recitals: 122, 129, 131

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 58 or relevant recitals


GDPR Text: Article 58 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)