What you always wanted to know about data protection regulators but never dared to ask

Blog Cybersecurity Data Protection
Source: Succo

In many companies, “data protection supervisory authority” is almost a term of fear. Additionally, there is often confusion about who and what the “competent data protection authority” is and what it does exactly. We would like to change that with this blog post.

In the following, you can easily and quickly find out which is your competent data protection authority and how you can reach them. On the other hand, you will learn what the tasks of these authorities are – and how they can help you by providing information on the subject of data protection.

What does a data protection supervisory authority actually do?

Data protection supervisory authorities have many tasks. The relevant article of the GDPR lists 22 (from a – v). For companies, the tasks from the areas of information and supervision are particularly important. The task area of supervision is very present in many people’ minds. That is, among other things, because data protection supervisory authorities can impose heavy fines for violations of the European General Data Protection Regulation (GDPR). In addition to the often fearful topic of supervision, it is easy to overlook the fact that data protection supervisory authorities support companies in complying with the GDPR by providing comprehensive information. Among other things, they provide helpful brochures, flyers, short papers, guidance, application notes, etc. At Perseus, we recommend: Use this information from a trusted source to the best of your ability.

Which data protection supervisory authorities exist in Germany?

Each federal state has its own independent data protection supervisory authority. Among other things, it is responsible for the non-public companies that have their headquarters in this federal state. In most cases, therefore, these authorities are your points of contact.

In addition, there is a data protection supervisory authority at the federal level: the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Among other things, he advises the Bundestag.
All these authorities – those of the individual federal states and those of the federal government – together form the Data Protection Conference.

Pic Source: Perseus Technologies GmbH

Which data protection supervisory authority is responsible for your company?

In most cases, the following applies: The data protection supervisory authority of the federal state in which your company’s headquarters are located is responsible.



Example: If your company is headquartered in Hanover, your competent data protection supervisory authority is that of the state of Lower Saxony.

So that you don’t have to search for a long time, we have compiled the contact details of the data protection supervisory authorities of all federal states in a list at the end of this blog post.
Don’t be surprised: often, these authorities are named as the State Commissioner or the Commissioner for Data Protection. This sounds like an individual, but there is a full agency behind it.
However, for telecommunications or postal service providers and for companies in a case under the Security Clearance Act, the data protection supervisory authority at the federal level is responsible – the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Pic Source: Perseus Technolgies GmbH






When should you contact your competent data protection supervisory authority?

Sometimes companies need to contact your competent data protection supervisory authority directly. For example

  • to report a data breach (for more information on this, see our whitepaper “What to do in the event of a data breach?”)
  • in the event of a data protection impact assessment
  • to notify data protection officers
  • in the event of specific questions that cannot be clarified in any other way

On the last point: You can clarify many concerns without asking the responsible data protection supervisory authority. But in exceptional cases, it is a good idea to ask the authority for information in order to obtain conclusive clarity. An example from the recent past is, for example, the introduction of 2G and 3G regulations in the workplace.

Reduce your fear of data privacy with Perseus

Data protection is a company-wide issue. All employees should be familiar with its basic principles. Is that easy to say? With our online training, it’s also easy to do. In short, easy-to-understand videos, we provide your employees with knowledge on many important aspects of data protection in companies.

Try it out for yourself. We provide you with our online training and other services free of charge for 30 days. It’s good to know right now: The trial period ends automatically and without any further obligations for you. Have fun!