Article 55: Competence

Article 55: Competence requirement is about which EU supervisory authority (SA) has territorial jurisdiction to oversee GDPR tasks and exercise enforcement powers for processing activities. To operationalize it, you need a repeatable way to identify the correct lead SA for each EU footprint, document the decision, and route regulatory communications, complaints, and incident interactions to the right authority. (Regulation (EU) 2016/679, Article 55)

Key takeaways:

• Build and maintain a “supervisory authority jurisdiction register” mapped to your establishments and processing locations.
• Define an intake-and-routing procedure for regulator contact, data subject complaints, and cross-border incidents.
• Retain a defensible evidence packet: decision rationale, approvals, and communication logs.

Compliance teams rarely fail GDPR because they cannot recite the law. They fail because they cannot route decisions and communications fast enough under pressure: a regulator inquiry arrives, a data subject complaint escalates, or an incident triggers multi-country notifications. Article 55: competence requirement matters in those moments because it determines which supervisory authority is competent “on the territory of its own Member State.” (Regulation (EU) 2016/679, Article 55)

For a CCO, Compliance Officer, or GRC lead, the operational goal is simple: ensure your organization can quickly identify the right EU authority to engage, and prove you made a reasonable, documented determination based on where processing and establishments sit. This is not a “policy-only” requirement. You need an operating model that works across Legal, Privacy, Security, Customer Support, and any team that might receive an authority contact.

This page gives you requirement-level implementation guidance focused on execution: who owns it, what triggers it, what to document, and what auditors tend to challenge. It also covers the common trap: assuming Article 55 is “for regulators only.” Your organization still needs competence mapping to avoid missed deadlines, misrouted submissions, and inconsistent positions.

Regulatory text

GDPR Article 55(1) states: “Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.” (Regulation (EU) 2016/679, Article 55)

What this means for operators

Article 55 is written as an obligation on supervisory authorities, but it creates a practical requirement for you: you must be able to determine which authority is competent for your processing footprint so you can engage correctly and consistently.

Operationally, treat Article 55 as a routing and governance control:

• If you have an establishment in one or more EU Member States, you must know which country’s SA is competent for activities in that territory.
• If processing occurs in multiple Member States, you must still be able to explain how you decided where to engage first and how you will coordinate your response strategy across jurisdictions, based on where your operations occur. (Regulation (EU) 2016/679, Article 55)

Plain-English interpretation (requirement-level)

You must maintain a documented, current understanding of which EU supervisory authority has territorial competence over your processing activities, and you must operationalize that understanding through intake, escalation, and communications procedures.

This becomes “real” in three workflows:

1. Inbound regulator contact (letters, emails, phone calls, portals).
2. Data subject complaints that mention regulators or indicate escalation risk.
3. Security/privacy incidents where regulatory notifications or follow-up questions may occur.

Who it applies to (entity and operational context)

Entity scope

• Controllers and processors subject to GDPR that have any EU establishment, EU-based operations, or processing tied to EU territory will run into competence questions in practice. (Regulation (EU) 2016/679)

Operational scope (where you need this control)

You should operationalize Article 55 competence mapping anywhere your organization:

• Maintains offices, branches, or stable operations in EU Member States.
• Runs HR, payroll, or employee monitoring for EU staff.
• Provides products/services to EU customers with local teams, local marketing, or local fulfillment.
• Uses third parties that process personal data within EU Member States (because regulator outreach can still come to you, and you need a clear engagement model).

What you actually need to do (step-by-step)

Step 1: Assign an accountable owner and a backup

Pick a single function to own the competence determination and evidence packet, typically Privacy/DP Office under Legal or GRC, with a named backup. Then define a “consulted” list: Security (for incidents), Customer Support (for complaints), and Sales/Account teams (for authority correspondence tied to customers).

Control intent: a regulator inquiry should never sit untriaged because “no one knows who owns it.”

Step 2: Build a Supervisory Authority Jurisdiction Register

Create a register that maps your footprint to likely competent authorities based on territory. Keep it simple and auditable.

Minimum fields to capture

• EU Member State
• Local legal entity / establishment (if any)
• Primary business functions performed in-country (sales office, support, R&D, HR)
• Where key processing systems are operated from (high level)
• Primary contacts: DPO/Privacy email, Legal, Security, local counsel (if used)
• Likely competent SA for that territory (name only; avoid over-asserting beyond what you can support)
• Decision notes and approval date (why this mapping makes sense)

This register supports the “role-and-scope register” best practice: you need a stable artifact that links your processing reality to your governance decisions. (Regulation (EU) 2016/679, Article 55)

Step 3: Create a competence determination memo template (one page)

When you need to make a call under pressure, you should not start from scratch.

Your memo template should include:

• Trigger event (regulator outreach, complaint escalation, incident)
• Facts: where the relevant processing and people are located
• Which Member State territories are implicated
• Which SA(s) appear competent by territory
• Primary engagement decision (who to respond to first, who to copy, internal approvals)
• Open questions / next steps
• Approver names (Legal/Privacy) and timestamp

Keep the memo neutral and factual. Avoid legal conclusions you cannot defend.

Step 4: Implement an intake-and-routing SOP for regulator communications

Write a short operating procedure with named owners, triggers, and approvals. (Regulation (EU) 2016/679, Article 55)

Minimum SOP requirements

• Intake channels: define where regulator messages can arrive (privacy inbox, security inbox, support ticketing, physical mail).
• Triage SLA (internal): define how quickly the org must internally acknowledge and route. (Set your own internal target; do not promise regulator response times you cannot meet.)
• Routing logic: use the Jurisdiction Register to decide which country team or counsel engages.
• Single voice principle: designate who sends external communications to an SA (usually Legal/Privacy).
• Logging: every regulator communication gets a case ID and a log entry (date received, sender, topic, assigned owner, current status).

Step 5: Connect Article 55 to incident response and complaint handling

This is where most programs break: competence mapping sits in a privacy binder, while incidents and complaints run elsewhere.

Add two required checks:

• Incident response: when Security opens a privacy-impacting incident, Privacy must confirm the implicated territories and document the competent SA(s) in the incident record.
• Complaint handling: when Support receives a complaint that references a regulator or EU rights, escalate to Privacy to confirm territory and routing.

Step 6: Train “first receivers”

Train the teams most likely to receive the first signal:

• Customer Support managers
• Security incident commanders
• Executive assistants and mailroom (yes, physical letters still happen)
• Sales/CSMs for enterprise accounts (customers sometimes forward regulator questions)

Training should be short and scenario-based: “If you get X, forward to Y, do not respond directly, open case ID.”

Step 7: Evidence cadence and review

Set a recurring review of your Jurisdiction Register and SOP:

• Revalidate after organizational changes: new EU office, M&A, new processing center, major outsourcing shift, new product line.
• Document exceptions: if you deviated from the routing logic, capture why and who approved.

Required evidence and artifacts to retain

Keep an “Article 55 evidence packet” that you can export quickly for audits, regulator interactions, or customer diligence.

Core artifacts

• Supervisory Authority Jurisdiction Register (current + prior versions)
• Article 55 competence determination memos for key events
• Regulator communications log (case IDs, correspondence, internal approvals)
• Incident records showing territory assessment and routing
• Complaint records showing escalation and routing
• SOP document (versioned) and training records/attendance
• Exception log and remediation actions

The point is defensibility: a reviewer should be able to reconstruct what you knew, when you knew it, and how you acted.

Common exam/audit questions and hangups

Expect questions like:

• “Show how you determine which supervisory authority is competent for your EU operations.” (Regulation (EU) 2016/679, Article 55)
• “Who is authorized to communicate with an EU supervisory authority?”
• “How do you ensure regulator inquiries received by Support or Security are routed correctly?”
• “Provide examples of a recent complaint or incident and the competence determination.”
• “How do you keep this mapping current after organizational changes?”

Hangup: auditors may see Article 55 as “not applicable” because it addresses authorities. Your response should be practical: you operationalize it as a governance control that prevents misrouting and inconsistent regulator engagement.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating Article 55 as a legal footnote.
   Fix: implement the intake/routing SOP and require evidence in incident and complaint workflows.

2. Mistake: No single source of truth for EU footprint.
   Fix: tie the Jurisdiction Register to authoritative sources (HR location data, legal entity list, system hosting locations) and record where each fact came from.

3. Mistake: Over-confident assertions about the “right” authority without documenting facts.
   Fix: write competence memos with factual inputs and approvals. Keep conclusions narrow.

4. Mistake: Third parties change processing locations, and you never update your mapping.
   Fix: add a procurement/TPRM trigger: when a third party changes processing locations in the EU, Privacy reviews the Jurisdiction Register entry and updates routing notes.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not list case summaries.

From a risk perspective, Article 55 failures usually show up as process failures:

• missed or delayed responses because a regulator contact was routed incorrectly;
• inconsistent statements across countries because different teams answered without coordination;
• weak incident governance where territory impact is unclear.

Treat competence mapping as part of your “regulatory interaction readiness” capability, not a one-off legal interpretation. (Regulation (EU) 2016/679, Article 55)

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Name the accountable owner and backups for regulator contact routing.
• Stand up a regulator communications log and case ID method (even a controlled spreadsheet works).
• Draft the competence determination memo template.
• Create a first version of the Supervisory Authority Jurisdiction Register for all Member States where you have staff, offices, or active operations.

By 60 days (Operational integration)

• Publish the intake-and-routing SOP and socialize it with Legal, Security, Support, and IT.
• Add routing checks into incident response and complaint workflows (ticket fields, required approval step, or checklist item).
• Run a tabletop exercise: simulate an SA inquiry to a generic inbox and test whether it reaches the right owner with a completed memo.

By 90 days (Audit-ready evidence)

• Complete training for “first receivers” and store attendance records.
• Perform one formal review of the register and SOP; log changes and approvals.
• Build an exportable evidence packet (folder structure + naming standard) so you can respond to audits and customer diligence quickly.

Where Daydream fits (practical, not theoretical)

If you manage many systems and third parties, the work is less about writing the SOP and more about keeping the register current and producing evidence on demand. Daydream can act as the system of record for requirement-to-control mapping, help you track trigger events (new EU presence, third party processing location changes), and generate consistent evidence packets tied to Article 55.

Frequently Asked Questions

Does Article 55 apply to my company, or only to regulators?

The legal text assigns competence to supervisory authorities, but you still need an operational method to identify the competent authority for your territory so you can route inquiries and respond consistently. Treat it as a governance and readiness requirement. (Regulation (EU) 2016/679, Article 55)

We are a US company with EU customers but no EU office. Do we need this?

You should still define how you will identify and handle competent supervisory authority contacts tied to EU territory, especially for complaints and incidents. Your mapping may be simpler, but the routing procedure and evidence log still matter. (Regulation (EU) 2016/679)

What is the minimum documentation an auditor will accept?

Maintain a jurisdiction register, a routing SOP, and a communications log with at least one completed competence memo from a real or test event. Evidence needs to show ownership, routing, and approval, not just policy text.

How do we keep this current when third parties change processing locations?

Add a TPRM trigger: any material change in a third party’s processing geography requires Privacy review and an update to your jurisdiction register entry and routing notes. Store the change notice and the updated approval record.

Who should be allowed to reply to a supervisory authority?

Restrict external responses to a small authorized group (Privacy/Legal, with Security input for incidents). Everyone else should forward inbound messages to the intake channel and avoid direct engagement.

What should Customer Support do if a user says they already contacted a regulator?

Open an internal case, escalate to Privacy, and record the user’s claimed Member State and any reference details. Privacy should complete a competence memo and decide whether and how to engage based on the territory and facts. (Regulation (EU) 2016/679, Article 55)