THE POWERS OF THE SUPERVISORY BODY IN THE GDPR AS A BASIS FOR SHAPING THE PRACTICES OF PERSONAL DATA PROCESSING

The purpose of this article is to analyse the competences of the supervisory authority provided for in the General Data Protection Regulation (GDPR) as a tool to shape the practice of personal data processing. This article verifies the thesis that the status of the supervisory authority formed in the GDPR, taking into account the authority’s independence, makes it possible to exercise the authority thoroughly, which is the basis for shaping personal data processing practice. Supervisory authorities have a wide range of powers to carry out the duties assigned to them. This is guaranteed by their independence. The exercise of powers resonates with all entities that fall under the jurisdiction of those authorities. The decisions of the authorities become the subject of interest of both the literature and personal data administrators. The powers connected with imposing administrative penalties might play a particular role. Their imposition causes that entities which are in similar circumstances may expect to be subject to the same penalties. In order to avoid this situation, they tend to adapt their practices to the model adopted in the decision. Opinions and recommendations, as well as codes of conduct approved by the supervisory authorities for particular sectors, which are a benchmark for administrators in those sectors, play an important preventive role.


INTRODUCTION
Personal data is one of the basic elements of the functioning of a globalised world 1 . Technological developments entail the processing of an ever-increasing amount of information 2 . The effectiveness of a law depends on its ability to be enforced. The EU legislator has established independent supervisory authorities as guardians of GDPR enforcement. The aim of this article is to analyse the powers of the supervisory authority provided for in the GDPR as a tool to shape the practice of processing personal data. It is verified that the status of the supervisory authority as developed by the GDPR, taking into account its independence, allows for the reliable exercise of its powers, which forms the basis for the development of personal data processing practice.

THE SUPERVISORY AUTHORITY IN THE PERSONAL DATA PROTECTION SYSTEM IN THE EUROPEAN UNION
Article 51 of the GDPR introduces the institution of supervisory authorities. The EU legislator requires Member States to put in place a mechanism of such a form that one or more independent public authorities are responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons with regard to the processing and to facilitate the free flow of personal data within the Union. This solution is not new. A similar obligation is imposed on Member States by Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals 1 See: Zana Pedic, "Interconnectivity and differences of the (information) privacy right and personal data protection right un the European Union," Review of Comparative Law 30, no. 3 (2017): 125. with regard to the processing of personal data and on the free movement of such data 3 .
An attempt has been made in the literature to clarify the basic duty of supervisory authorities, namely, to monitor the application of GDPR. U. Góral indicates that monitoring is a concept that may indicate a passive or active attitude. In order to interpret this concept, reference should first be made to other language versions of the Regulation. In the French version of the Regulation, the word surveiller is used, which can mean both 'watchful' and 'inspects'. A similar understanding of duty can be found in other language versions: German (für die Überwachung der Anwendung), English (for monitoring the application) or Spanish (supervisar la aplicación) 4 . This justifies the assumption that it is the task of the supervisory authority to take active action in respect of the possibilities granted by the Regulation and national legislation.
Another issue under examination is the possibility for the national legislator to choose how to shape the supervisory authority. The doctrine indicates that this solution is an example of institutional autonomy for Member States, which have the freedom to shape their own administrative institutions. The supervisory authorities may be either collegiate or single-member. Their structure may be established in such a way that there is a single authority competent for the territory of the entire Member State, or in such a way that, in addition to such a central authority, there are a number of authorities which are competent for areas of the country which are separated at the level of administrative law, such as provinces or states. In Germany, for example, the supervisory authorities operate not only at federal level but also at the level of individual land 5 .
At the same time, it should be noted that in the Regulation, in Article 51 (2)  the Union. It seems that the need to draw the attention of the EU legislator to the need for consistent application of the GDPR stems from the recognition of the risk of different application of the GDPR in the territory of individual Member States, which could ultimately lead to different interpretations of the same legal act at the level of individual Member States.
This Article concerns solutions adopted at the level of EU legislation, in particular GDPR. These solutions in the Polish legal order have been specified in detail by the Act of 10 May 2018 on the protection of personal data 6 , which has been subject to comprehensive analysis in the available literature 7 . The supervisory authority within the meaning of the Regulation is, pursuant to Article 34 paragraph 2 of the Data Protection Act, the President of the Personal Data Protection Office.
The regulation allows the authorities of the state supervisory bodies for the processing of personal data in churches and religious associations to be shaped differently at the level of national legal systems. In view of Article 91(2) of the Regulation, churches and religious associations may in certain cases be subject to supervision by an independent supervisory authority, which may be separate from the state authority. However, where such a body is not established, the supervisory tasks will be carried out by a state authority 8 .
The autonomy of churches and religious associations is also implemented by the provision of Article 91(1) of the Regulation, according to which, if at the time of entry into force of the GDPR, churches and religious associations apply specific rules for the protection of personal data, such rules may continue to apply after adjustment to the requirements of the GDPR. In the absence of such prior regulations, the provisions of the Regulation are fully applicable.
A dispute has arisen in Polish literature as to whether the Catholic Church has such separate regulations in the Polish legal order. P. Fajgielski 9 is of the opinion that such regulations apply. The opposite view -according to which there are no such regulations in the internal law of the Catholic Church -was expressed in a monography edited by D. Lubasz and E. Bielak-jomaa 10 . The essence of the dispute in question comes down to whether the Catholic Church, in order to be covered by the exemption provided for in Article 91(1) of the GDPR, should have a normative system which would comprehensively regulate the processing of personal data. It seems that we should agree with the view expressed by Mr Fajgielski. In order to be covered by this exemption, it is necessary to apply specific rules for the protection of individuals with regard to the processing of their data. The Catholic Church has such rules in a normative manner 11 . The fact that such regulations may not be complete seems to be legally irrelevant in the light of the problem in question. It means, therefore, that the Catholic Church is subject to separate rules in Poland with regard to the processing of personal data to the extent that they were applied when the GDPR entered into force, provided that those rules were adapted to the provisions of the Regulation.

INDEPENDENCE OF THE AUTHORITIES
In accordance with Article 52(1) of the GDPR, each supervisory authority shall, in carrying out its tasks and exercising its powers under this Regulation, act with complete independence. This independence is not established in order to confer a privileged position on the authorities but as a guarantee of their ability to carry out the tasks assigned to them. It is reflected in existing CjEU case law on data protection authorities, which indicates that supervisory authorities should act objectively and impartially when carrying out their duties. To this end, they should be outside any external influence, including the direct or indirect influence of the State or Länder, and not only outside the influence of the controlled authorities 12 . These views, as developed in the case law, are reflected in the doctrine where, on the basis of considerations of the CjEU's jurisprudence, it is accepted that the independence of a State authority means that the State guarantees that the legal authority can carry out certain tasks without interference from other actors 13 . The question arises of how such independence can be achieved.
The EU legislator in Article 52 of the Regulation points to several aspects of independence. Firstly, Article 52(2) of the GDPR provides that the member of such a body must be free from outside influence when making decisions. It should be assumed that it would be contrary to EU law, for example, to subject a personal data protection authority directly to the supervision of one of the ministers responsible for the administrative department, which includes personal data protection. This view seems to be confirmed by the literature, which argues that, against a background of independence from the authorities of the Member States, probably the biggest practical implication of the ban on being bound by instructions will be that personal data protection authorities cannot be subordinated or even supervised by other state bodies. In other words, they cannot be linked to other management or supervisory ties 14 . The concept of 'external influence in decision-making' is vague. It seems that the basic tool for exerting influence is the possibility of issuing binding instructions. However, exerting influence also has other shades, because there are soft tools of exerting influence which a member of the body would have to take into account, such as influence on re-election, the possibility of appeal or influence on setting remuneration. It seems that it is not possible to exclude any external influence when taking specific actions. It should therefore be clarified which aspects of external influence are legally relevant in this respect. As a matter of principle, these issues are left to the national legislator with the reservation that the national legislator will be held accountable for the implementation of the directives of independence in accordance with procedures provided for by European Union law.
The EU legislator reserves the limits of this independence, indicating that the activities of supervisory authorities should be subject to substantive review by the courts and to organizational review by the relevant public administration bodies in the various national systems. According to recital 118 of the GDPR, the independence of supervisory authorities should not mean that they cannot be subject to mechanisms of control or monitoring in terms of expenditure or judicial review. This recital is reflected in Article 52(5) of the GDPR. This means that the systemic independence of the supervisory authorities does not lead to them being taken out of the hands of the national administration. On the contrary, these authorities are part of it. However, it seems that, in order to ensure the full independence of the authorities, it is necessary to use mechanisms which, in a given Member State, in a given normative arrangement, will guarantee that the decisions taken by these authorities will be independent of external influences. In this respect, the national legislator is obliged to balance two issues -the need for organizational control and its systemic independence.

A CATALOGUE OF POWERS OF THE SUPERVISORY AUTHORITIES
The powers conferred on the supervisory authorities by the Regulation are intended to fulfil the tasks assigned to them. The catalogue of powers set out in Article 58 of the GDPR. It is broad and commentators have identified five categories 15 : (i) powers of investigation; (ii) powers of resolution; (iii) powers of authorization 16 ; (iv) advisory powers; (v) powers to report violations of the GDPR to the judiciary and the power of supervisory authorities to participate in legal proceedings 17 .
The Regulation describes in detail the powers of the supervisory authorities in Chapter VI Section 2 "Competence, tasks and powers". The detailed description of the powers of the authorities already at the level of European law is directly linked to the objective of the GDPR -consistent and effective implementation throughout the European Union. This would not be possible without equipping supervisory authorities with broad competences at the level of Union law. The aim of the solution adopted is to ensure that all supervisory authorities have the same tasks and competences in key areas.
The catalogue of rights is closed -this position is presented in the literature 18 . It seems necessary to use the directives indicated by the EU legislator in recital 129 of the Regulation to interpret the individual powers and to exercise those powers by the supervisory authorities. This recital identifies key issues related to the exercise of powers by data protection authorities. These authorities are obliged to act on the basis and within the limits of Union law and the law of the Member States. The activities of the supervisory authorities -in accordance with the directives set out in recital 129 -should be carried out efficiently, objectively and fairly. the exercise of the powers of the authorities, subject to the provisions that proportionate action is also to ensure compliance with the Regulation. The GDPR also introduces the obligation to hear the person concerned before an individual measure is taken against him or her. These directives are of a general nature. The authorities should take action with these recommendations in mind.
The model of broad powers conferred on independent supervisory authorities gives them a strong mandate to shape how the rules on the processing of personal data will be interpreted in practice 19 . This mandate is implemented both through hard powers, in particular the possibility of imposing sanctions, and soft powers, such as the possibility of issuing recommendations. The activities undertaken and communicated by the supervisory authorities are monitored by data controllers and data protection officers. In order to comply with the requirements or practices of the supervisory authorities, the controllers adjust their data processing processes. A careful look at the individual groups of powers will allow conclusions to be drawn on how these processes may be adjusted as a result of the exercise of powers by the supervisory authority.

(A) Powers in the conduct of proceedings
The powers in the scope of conducted proceedings, correlated with the task provided for in Article 57(1)(h) of the Regulation, are defined in Article 58(1) of the Regulation by indicating that the supervisory authority has the following powers: (i) to require the controller and the processor to provide all information necessary for the supervisory authority to carry out its tasks; (ii) to conduct investigations in the form of data protection audits; (iii) to review the certifications granted under the Regulation; (iv) to notify the controller or processor of a suspected breach of the Regulation; (v) obtaining from the controller and the processor access to all personal data and all information necessary for the supervisory authority to carry out its tasks; (vi) obtaining access to all premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law.
The powers indicated in Article 58(1) of the GDPR shall constitute a catalogue of powers of a control nature 20 . The doctrine indicates that these are activities which consist of examining whether the activities of a controlled entity correspond to the state of affairs required by law and of drawing conclusions if deviations from this state of affairs are found 21 . For the full implementation of control tasks, the power to order the provision of all necessary information is important. It is not possible to carry out effective control without such a power. It is important that the scope of the information requested in a particular case is decided by the supervisory authority, and the addressee of the request has no possibility to question the scope of the information requested 22 . This means that considerable discretion is left to the authority in this respect. The question of how this power is to be exercised is not specified in the text of the Regulation and is left to the legislators of the Member States to decide in accordance with the rules laid down in their national orders 23 .
The form in which the authorities will carry out proceedings is defined by the EU legislator as an 'audit'. It is indicated in the literature that the audit is a set of activities which aim to examine and confirm the correctness of the operations conducted on personal data and their compliance with the Regulation. A characteristic feature of the audit is that it is carried out by an entity external to the organisation which is the subject of the audit 24 . In recital 129 of the Regulation, it is indicated that the powers to conduct investigations in relation to access to premises should be exercised in accordance with the specific requirements of the Member State's rules on procedure, such as the requirement to obtain prior judicial authorisation. This means that investigations should be carried out by the supervisory authorities in accordance with the standards laid down in the legislation of each Member State.
This group of powers is important in the framework of control proceedings. However, the results of the exercise of these powers are not usually communicated to the public in the form of statements or communications from the supervisory authority. Only the results of the inspections carried out, e.g. in the form of decisions, may be subject to judicial consideration and thus contribute to the development of personal data processing practice. However, the stage described in this subchapter is an essential element of the procedure.

(B) Powers of a corrective character
In order to ensure effective enforcement of the Regulation by supervisory authorities, they have been equipped with a catalogue of remedial powers that can be exercised by those authorities on entities on which the GDPR imposes certain obligations. According to Article 58(2) of the GDPR, these powers are: (i) to issue warnings to the controller or processor regarding possible breaches of GDPR rules by planned processing operations; (ii) to issue reprimands to the controller or processor in case of a breach of GDPR rules by processing operations; (iii) to require the controller or processor to comply with the data subject's request under his rights under the GDPR; (iv) to require the controller or processor to adapt processing operations to the GDPR and, where appropriate, to indicate the manner and timing; (v) ordering the controller to notify the data subject of the data breach; (vi) imposing a temporary or total restriction of processing, including a prohibition on processing; (vii) ordering the rec-tification or erasure of personal data or the restriction of processing, and ordering the notification of these actions to recipients to whom the personal data have been disclosed; (viii) withdrawing certification, or requiring the certification body to withdraw certification, or requiring the certification body not to certify if its requirements are not, or are no longer, fulfilled; (ix) imposing, in addition to or instead of other administrative measures, a financial penalty, depending on the circumstances of the specific case; (x) ordering the suspension of data flows to a recipient in a third country or to an international organization.
It appears from the catalogue presented above that supervisory authorities have a number of measures of a sovereign nature through which they can enforce the Regulation 25 .
The first measure is a warning. The literature indicates that a warning may be addressed to an administrator or processor when there has not yet been a breach of the Regulation, but there is a risk that such a breach may occur. It seems that this measure will not be of a sovereign nature, but will provide a basis for determining whether the administrator or processor was aware of a specific risk of GDPR infringement 26 .
The second type of measure is a reprimand. A reprimand may be applied in case of a breach of GDPR. It is doubtful when the authority should apply a warning and when other, more severe types of measures should be applied to the administrator or processor in the event of a breach of the Regulation. In the doctrine, following recital 149 of the Regulation, it is argued that a reprimand may be applied if the infringement is minor or if the financial penalty would impose a disproportionate burden on an individual 27 . The possibility of applying a reprimand will therefore depend on the supervisory authority's assessment of the specific facts for each case.
A third type of corrective measure is the possibility of ordering the controller or processor to adapt the processing to the Regulation. The literature indicates that the supervisory authority may indicate in the content of the order how it should be enforced and when the order should be enforced. The use of this possibility is left to the discretion of the supervisory authority 28 . Other types of warrants provided for in Article 58(2) of the GDPR (e.g. an order to comply with the data subject's request under his rights under the GDPR; an order to notify the data subject of a data breach) are specific to this general power.
The key power conferred on the supervisory authorities is the possibility to impose administrative penalties as provided for in Article 83 of the Regulation. This power plays a key role in the application of the Regulation due to the possibility to impose penalties for non-compliance with the GDPR of up to EUR 20,000,000 or up to 4% of its total annual worldwide turnover in the previous financial year. These penalties shall be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR 29 . This power may be exercised instead of or in addition to the measures provided for in Article 58 of the GDPR. The provision of Article 83 of the Regulation sets out in detail the rules for imposing and setting administrative penalties. In particular, administrative penalties should be effective, proportionate and dissuasive (Article 83(1) of the Regulation). The amount of the penalty depends on individual factors, including the degree of infringement, intentionality, nature, seriousness and duration of infringements (Article 83(2) of the GDPR). The imposition of administrative penalties is one of the most difficult tasks that data protection authorities face. Which of the data processing practices of the controllers will be sanctioned by the supervisory authorities influences what modifications other controllers will implement. Decisions in this regard should therefore be taken by the supervisory authorities with caution. 28 Paweł Litwiński, "komentarz do artykułu 58," in EU Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of data. Commentary, ed. Paweł Litwiński (Warsaw: Legalis el., 2018).
An additional difficulty with this entitlement arises from the ambiguity of the criteria that are relevant for determining the amount of the administrative penalty. It is interesting that the EU legislator, in recital 129 of the regulation, has set out in quite a detailed manner the formal conditions which should be met by measures of a sovereign nature issued by supervisory authorities. Each legally binding measure of a supervisory authority should be in writing, have a clear and unambiguous character, indicate the supervisory authority which issued the measure and the date of issue, bear the signature of the head or member of the supervisory authority authorised by him, give reasons for the measure and inform about the right to an effective remedy. At the same time, the EU legislator shall not preclude the introduction of additional formal requirements provided for by national legislation. The transfer of the above considerations to the Polish legal system leads to the conclusion that the above-mentioned list of elements which should constitute the content of a binding measure of the supervisory authority corresponds in principle to the requirements of an administrative decision specified in Article 107(1) of the Act of 14 june 1960 Code of Administrative Procedure 30 . Binding measures of the supervisory authority may be subject to control by independent judicial authorities in the Member State of the supervisory authority which applied the measure. It is left to the national legislator to ensure effective implementation of this Directive.
It seems that this group of powers is crucial in shaping the practice of processing personal data. The decisions of the supervisory authorities are, as a rule, published on the websites of the supervisory authorities, which makes them the focus of doctrine. Courts are then involved in the shaping of these decisions, and they verify the exercise of individual powers by the supervisory authorities on the merits. Ultimately, however, the application of sanctioning measures in certain circumstances to a particular entity results in other entities that are in similar circumstances can expect the same sanctioning measures. In order to avoid this situation, they are willing to adapt their practices to the model adopted in the settlement.

(C) Authorisation powers
The supervisory authorities have been given authorisation powers in order to carry out the tasks assigned to them. The nature and scope of these powers are specifically provided for in the provisions of the Regulation, which do not concern the status of supervisory authorities but the duties of administrators and processors. Among these powers, it is worth mentioning the following authorisations: (i) authorisation of processing (Article 36(5) of the Regulation); (ii) issuing opinions and approving draft codes of conduct (Article 40(5) of the GDPR); (iii) accrediting certification bodies; (iv) granting certification; (v) authorising administrative arrangements (Article 46(3)(b) of the GDPR); approving corporate rules (Article 47 of the GDPR). These authorisations shall be granted in accordance with the procedures provided for by the legislation of the Member States and taking into account those provisions of the Regulation which may be directly applicable 31 . These authorisations play an important role in the practice of supervisory authorities and the processing of personal data. A particularly important issue is the possibility of approving codes of conduct for individual industries. As a rule, these codes of conduct are prepared by the representatives of a given sector (e.g. insurance, health, or banking). The data processing practices described there and technological solutions adapted to the specificity of a given sector make it possible to respond in a clear way to important practical problems, especially at the interface between the value of the right to privacy and the efficiency and profitability of a company. Once approved by the supervisory authorities, these codes play an important role within the various sectors, by mitigating the legal risks associated with the implementation of personal data processing solutions.

(D) Advisory powers
The advisory power is directly related to the advisory tasks foreseen for supervisory authorities. These tasks will, in principle, be carried out in the manner and on the basis of measures envisaged by the Member States. It is the responsibility of national legislators to allocate such powers and resources to the supervisory authorities that they can carry out their advisory and educational tasks as far as possible.
As regards advisory powers, the EU legislator draws attention to two of them: (i) to advise the controller in accordance with the prior consultation procedure (Article 36 of the GDPR); (ii) to issue opinions intended for the GDPR parliament, the government of a Member State or other institutions and bodies and the public at large on any matter relating to personal data protection.
The first of these powers is detailed and relates to the procedure relating to with an assessment of the data protection implications of processing operations (Article 35 GDPR). The second power is of a more general nature and gives the supervisory authorities broad powers of opinion on all matters relating to the protection of personal data. This right is evidence of a paradigm shift in thinking about the protection of personal data in such a way that this issue is becoming one of the key issues in the public debate in the information society, and the supervisory authorities should have the means to speak out in such a debate.
From the point of view of the effective functioning of the Regulation, it is desirable for these powers to play an important role in shaping the processing of personal data on the part of controllers and processors 32 . It is advisable that a possible wide area be covered by the recommendations of the supervisory authorities in such a way as to mitigate the legal and technological risks associated with these processes on the part of the controllers and data processing entities. It is up to the supervisory authorities to select the subjects and means of issuing opinions in a way that will guide the data processing processes in a safe and rational manner. In this regard, it should be borne in mind that there are situations in which the right to privacy may, in certain situations, give way to other values, such as the need to obtain information quickly about the health of the person closest to them, or the need to combat money laundering and terrorist financing.

(E) The power to report GDPR infringements to the judiciary and the power of supervisory authorities to participate in court proceedings
The power set out by the EU legislator in the structure of Article 58(5) of the GDPR shall confer on the supervisory authority the power to bring an infringement of this Regulation before a judicial authority and, where appropriate, to initiate or otherwise participate in legal proceedings in order to enforce the application of this Regulation. The national legislator shall be required to guarantee this possibility. It should therefore be at the level of national legislation that the legal bases establishing the modalities and conditions under which contacts between those entities should take place should be introduced. The power provided for in Article 58(5) of the GDPR is linked to Article 84 of the Regulation, which provides for the possibility for the national legislator to introduce sanctions other than those provided for in the GDPR for infringements of the Regulation. The national legislator has the right to introduce provisions governing criminal liability for the breach of the Regulation. However, as a rule, the procedure related to the possibility of committing a crime is not carried out by personal data protection authorities. Such a procedure will be carried out by the authorities specified in national legislation as part of criminal procedures. The provision discussed in this point gives supervisory authorities the power to inform such authorities about the possibility of committing an offence. It seems that this group of powers should, in the light of the issue under consideration, be identified as a power which is subsidiary to a group of powers of a sanctioning nature.

CONCLUSIONS
The supervisory authorities are equipped with a wide range of powers to carry out the tasks entrusted to them. The independence of these authorities is a guarantee of their sound implementation. The exercise of these powers resonates with all those who fall within the competence of these authorities. The decisions of the authorities become a matter of interest for the doctrine and the controllers of personal data. Powers related to the imposition of administrative penalties may be of particular importance. Their application results in entities which find themselves in circumstances similar to those of the sanctioned entity can expect to apply the same sanctions. In order to avoid this situation, they are willing to adapt their practices to the model adopted in the decision of the authority. Opinions and recommendations, as well as codes of conduct approved by the supervisory authorities for individual industries, which are a reference point for administrators operating in these industries, play an important preventive role.