Data Protection Authority

From Open Risk Manual


A Data Protection Authority (DPA) is an independent Authority (body) which is in charge of overseeing legal compliance regarding privacy and data protection laws, more specifically:

  • monitoring the processing of Personal Data within its jurisdiction (country, region or international organization);
  • providing advice to the competent bodies with regard to legislative and administrative measures relating to the processing of personal data;
  • hearing complaints lodged by citizens with regard to the protection of their Data Protection rights.

According to Article 51 of the GDPR, each Member State shall establish in its territory at least one data protection authority, which shall be endowed with investigative powers (such as access to data, collection of information, etc.), corrective powers (power to order the erasure of data, to impose a fine or a ban on processing, etc.), and authorisation or advisory powers (issuance of opinions, power to accredit certification bodies, etc.).

The EDPS is established as an independent data protection authority at EU level by Article 52 of Regulation (EU) 2018/1725.

National data protection authorities have been established in all European countries, as well as in many other countries worldwide.