GDPR Article 58 is the powers article: it lists the investigative, corrective and authorisation powers each supervisory authority must have, together with a small set of authority-side duties around complaint handling and burden of proof. It binds "supervisory authority" — the national data protection authorities — not controllers or processors directly. The obligation rows do not record a deadline; Article 58 has applied since 25 May 2018.
What Article 58 requires
The article divides into two halves: duties on the authority itself (facilitate complaints, charge no fees, carry the burden where it claims a request is excessive) and powers the authority must possess (compel information, audit, certify, notify of infringement). The seven obligation rows here cover both halves.
Obligation breakdown
Facilitate complaints
"Each supervisory authority shall facilitate the submission of complaints by measures such as a complaint submission form which can also be completed electronically." The example — an electronic form — is illustrative; the duty is to make the route accessible, not to use any particular technology.
No charge to the data subject
"The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer." A national authority cannot price-gate access to its own complaint and information functions.
Burden on the authority for "manifestly unfounded or excessive"
"Where requests are manifestly unfounded or excessive, the supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request." This is a procedural backstop: the authority cannot simply assert that a request is excessive — it has to show it.
Power to order information
"Each supervisory authority shall have the power to order the controller and the processor to provide any information it requires for the performance of its tasks." The verb is order, not request — the controller and processor are obliged to respond.
Power to audit
"Each supervisory authority shall have the power to carry out investigations in the form of data protection audits." The form named is the audit; investigation in other forms is not excluded by this row but is not its subject.
Power to review certifications
"Each supervisory authority shall have the power to carry out a review on certifications issued pursuant to Article 42(7)." This connects Article 58 to the GDPR certification regime — once issued, certifications are not insulated from later supervisory review.
Power to notify alleged infringement
"Each supervisory authority shall have the power to notify the controller or the processor of an alleged infringement of this Regulation." Notification is itself a power: it can precede formal corrective action, and it puts the controller on the record as having been informed.
Cross-references
Article 58 is one of the most-cited GDPR articles in cross-regulatory texts indexed in our corpus. References include "Article 58 GDPR", "Art. 58 GDPR", "Art. 58 (1) GDPR", "Article 58(1) GDPR", "Article 58(2) GDPR", "Article 58(2)(b) GDPR", "Article 58(2)(c) GDPR", "Article 58(2)(d) GDPR", "Article 58(2)(i) GDPR", and "Article 58(2)(j) GDPR". The Article 58(2) sub-references generally point to the corrective-power list, which downstream regulations rely on when they hand additional powers to data protection authorities.
What this means in practice
Controllers and processors that receive a notification of alleged infringement should treat it as the start of a formal record, not a courtesy heads-up: subsequent corrective measures under Article 58(2) build on that record. The "no charge" rule means data subjects can use the authority's complaint route without cost calculations; the "manifestly unfounded or excessive" burden means the authority pays for that openness when bad-faith filings arrive. Multinational groups that face parallel investigations across Member States should expect Article 58 powers to be exercised by each lead authority, with the cooperation procedure under Articles 60–63 layered on top.
Related Fontvera pages
- AI Act vs GDPR on automated decisions — Article 58 powers are the corrective tools data protection authorities will use when AI Act and GDPR overlap on automated decision-making.
- AI Act fines and penalties by country — the supervisory-authority structure GDPR Article 58 codifies anchors the AI Act enforcement model in many Member States.