Competent Authorities Designation and Powers under DSA
The content is titled 'Competences' from the DSA and discusses the allocation and scope of authority powers under the Digital Services Act. This requires a dedicated topic covering DSA-specific competent authority designation, powers, and responsibilities.
competent authorities authority designation DSA competences regulatory authority member state authority authority powers authority jurisdiction authority mandate
Overview
Legal Framework
The designation of competent authorities and their supervisory powers under the Digital Services Act (DSA) are governed by the DSA's institutional provisions, with Recital 109 providing the foundational principle. The law requires each Member State to designate at least one authority responsible for supervising and enforcing the DSA, which may be an existing national body. Member States have the flexibility to establish a single Digital Services Coordinator or to distribute specific supervisory and enforcement tasks among multiple competent authorities, in accordance with their national legal structures.
Practical Application
The designated authorities, particularly the Digital Services Coordinator of establishment for very large online platforms and search engines, are granted extensive investigative powers to ensure effective oversight. As emphasized in Recital 96, this includes the power to require access to specific data, including data related to algorithms, to assess systemic risks and compliance. This power is interpreted through the lens of necessity and proportionality, principles reinforced by case law such as Worten. The authorities' data access must be necessary for their monitoring mandate and should not exceed what is required to verify compliance with the DSA's obligations. The overarching goal is to enable authorities to understand and audit automated systems that can cause significant societal harm.
Key Considerations
- Scope of Data Requests: Organizations, especially VLOPs and VLOSEs, must be prepared to provide competent authorities with specific data, including algorithmic data, upon justified request. The legitimacy of such requests hinges on their necessity for assessing compliance with risk management and other DSA obligations.
- Proportionality Defense: While authorities have broad access powers, organizations can challenge requests that appear disproportionate or unnecessary for the stated supervisory purpose, aligning with the principles established in related CJEU jurisprudence on data access by public authorities.
- Multi-Authority Coordination: Entities operating in multiple Member States must map the national enforcement landscape, as tasks may be split between different competent authorities (e.g., a Digital Services Coordinator and a consumer protection body), requiring coordinated compliance responses.
Laws (45)
View all 45Case Law (2)
SCHWARZ V. BOCHUM, 17.10.2014 (âSCHWARZâ)
Schwarz
Necessity/proportionality: Secure storage of fingerprints reduces risk of passports falsification and to facilitates EU borders control and,thus, it is appropriate.(¶¶ 41-45).
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (âWORTENâ)
Worten
Necessity/proportionality: Collection and processing of personal data contained in the record of working time to ensure compliance with national legislation relating to working conditions is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. Access should be grated only to authorities having powers of monitoring compliance with legal requirements. An obligation to provide immediate access to the record could be necessary if it contributes to the
Guidance (16)
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
guidelines certificering
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Richtsnoeren 2/2023 over het technische topassingsgebied van artikel 5, lid 3, van de eprivacyrichtlijn
guidelines technische toepassingsgebied van artikel 5(3) e-privacyrichtlijn
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Richtsnoeren 3/2019 inzake de verwerking van persoonsgegevens door middel van videoapparatuur
guidelines cameratoezicht
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Versiegeschiedenis
guidelines meldplicht datalekken
News (3)
Draft UK adequacy decisions: EDPB adopts opinions
Brussels, 20 October - During its latest plenary, the EDPB adopted two opinions on the European Commissionâs draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.* The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in D
EDPB adopts statement on European Police Cooperation Code & picks topic for next coordinated action
The EDPB adopted a statement on the European Commissionâs proposal for an EU Police Cooperation Code. This proposal aims to enhance law enforcement cooperation across Member States, in particular the information exchange between the competent authorities. The code is comprised of three main measures: proposal for a PrĂŒm II Regulation, proposal for a Police Information Exchange Directive and the proposal for a Council Recommendation on operational police cooperation.
EU-Hof: een belastingautoriteit die bij een marktaanbieder van internetdiensten gegevens opvraagt moet de AVG in acht nemen
The collection by the tax authority of a Member State of personal data concerning the advertisements for the sale of vehicles placed on the website of an economic operator falls within the material scope of the General Data Protection Regulation (AVG). Thus, that authority will also have to comply with the principles on the processing of personal data laid down in the AVG. However, a tax authority can derogate from the AVG in certain cases, even if the right to derogate is not granted by nationa