Skip to main content

Article 25 — Powers of the Supervisory Authority

  1. The supervisory authority shall have the following investigative powers:
    1. to order any controller or processor to provide any information the supervisory authority requires for the performance of its functions, within such time as the supervisory authority may specify;
    2. to carry out audits and inspections of the data processing operations of any controller or processor, including the review of records, systems, and documentation relating to the processing of personal data;
    3. to obtain access to all personal data and to all information necessary for the performance of its functions, including access to any premises, equipment, or means used for the processing of personal data, subject to applicable rules of host-jurisdiction law governing entry to premises;
    4. to notify a controller or processor of an alleged infringement of this Code and to require the controller or processor to provide a written response within a specified period;
    5. to require a controller or processor to carry out a data protection impact assessment in accordance with Chapter 2 of Title III of this Code where the supervisory authority considers that a type of processing is likely to result in a high risk to the rights and freedoms of data subjects.
  2. The supervisory authority shall have the following corrective powers:
    1. to issue a warning to a controller or processor that intended processing operations are likely to infringe this Code;
    2. to issue a reprimand to a controller or processor where processing operations have infringed this Code;
    3. to order a controller or processor to comply with a data subject's request to exercise rights under Title II of this Code;
    4. to order a controller or processor to bring processing operations into compliance with this Code, in a specified manner and within a specified period;
    5. to order a controller to communicate a personal data breach to the data subject in accordance with Chapter 2 of Title III of this Code;
    6. to order the rectification or erasure of personal data or the restriction of processing in accordance with Chapter 2 of Title II of this Code, and to order the notification of such actions to recipients to whom the personal data have been disclosed;
    7. to impose a temporary or definitive limitation on processing, including a ban on processing, where the supervisory authority determines that continued processing would cause serious harm to the rights and freedoms of data subjects or would constitute a grave or persistent infringement of this Code;
    8. to order the suspension of data transfers to a recipient in a foreign jurisdiction or to an international organisation where the supervisory authority determines that the transfer does not comply with Chapter 3 of Title III of this Code.
  3. The supervisory authority shall have the following advisory powers:
    1. to issue opinions, on its own initiative or upon request, on any matter relating to the protection of personal data, including on legislative and administrative proposals affecting the processing of personal data;
    2. to approve and publish standard data protection clauses for inclusion in contracts between controllers and processors, and between controllers or processors and recipients in foreign jurisdictions;
    3. to approve codes of conduct submitted by associations or bodies representing categories of controllers or processors, and to monitor compliance with approved codes of conduct;
    4. to authorise contractual clauses and provisions to be inserted in agreements relating to international transfers of personal data where those clauses provide appropriate safeguards within the meaning of this Code;
    5. to determine whether the data protection framework of a foreign jurisdiction or the data protection rules of an international organisation affords an adequate level of protection, and to publish a list of jurisdictions and organisations so recognised.
  4. The exercise of the powers conferred by this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, in accordance with the Fundamental Laws of the Principality. In particular, any order or decision issued under paragraph 1 or paragraph 2 shall state the reasons on which it is based and shall inform the addressee of the right to petition the Sovereign in accordance with the Fundamental Laws.
  5. The supervisory authority shall exercise the powers conferred by this Article in a manner that is proportionate to the nature, gravity, and consequences of the infringement or risk concerned, having regard to the circumstances of each case and the administrative capacity of the Principality.