Article 51

Supervisory authority

General Data Protection Regulation · UE 2016/679

Supervisory authority

1.   Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

2.   Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3.   Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

4.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the competent supervisory authority is the Commission nationale pour la protection des donnees (CNPD), based in Belvaux, and never the APDL. The law of 1 August 2018 organising the CNPD sets out its tasks, powers and cooperation procedure with other authorities within the EDPB. The CNPD represents Luxembourg on the Board and applies the consistency mechanism of Article 63.

Luxgap practice: confirm that Luxembourg is truly your main establishment before treating the CNPD as your lead authority; a Luxembourg registered office is not enough if processing decisions are taken elsewhere.