Article 55: Competence

GDPR Article 55 is about which supervisory authority (SA) has jurisdiction to supervise and enforce the GDPR for processing on its Member State’s territory. To operationalize it, you need a documented way to determine your “lead” and “concerned” SAs for each processing footprint, route regulatory communications correctly, and keep evidence of your jurisdiction decisions and escalation paths. (Regulation (EU) 2016/679, Article 55)

Key takeaways:

• Article 55 is a jurisdiction and routing requirement: know which SA is competent for which processing, and act accordingly. (Regulation (EU) 2016/679, Article 55)
• Your operational control is a repeatable “SA competence determination” tied to establishment locations, processing locations, and cross-border processing. (Regulation (EU) 2016/679, Article 55)
• Keep an audit-ready packet: role-and-scope register, decision record, regulator contact log, and change triggers with owners. (Regulation (EU) 2016/679, Article 55)

Article 55 rarely shows up as a standalone policy gap; it shows up as an execution failure during an investigation, complaint, breach response, or regulator correspondence. The operator problem is simple: if you cannot quickly identify which supervisory authority is competent for the situation, your team can misroute notifications, answer the wrong authority, miss deadlines, or create inconsistent positions across jurisdictions.

Article 55’s text is short, but it connects to operational realities: multi-country establishments, remote workforces, distributed processing infrastructure, and third parties processing personal data across borders. Your goal is defensibility: a consistent method to determine (1) the competent supervisory authority for territory-bound issues and (2) how you handle cross-border matters so communications and actions stay coordinated.

This page translates Article 55 into a practical control you can run: maintain a role-and-scope register, define a requirement-specific procedure with named owners and trigger events, and retain evidence packets on a recurring cadence. (Regulation (EU) 2016/679, Article 55)

Regulatory text

Regulatory excerpt (verbatim): “Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.” (Regulation (EU) 2016/679, Article 55)

What the operator must do with this text

Article 55 tells you how GDPR supervision is territorially allocated: each supervisory authority is competent within its Member State. Operationally, this means you must be able to:

• Determine which Member State(s) a processing situation relates to, based on establishment, location of affected individuals, and where processing occurs.
• Route regulatory engagement to the correct authority, including complaints, investigations, requests for information, breach communications, and enforcement actions.
• Avoid fragmented responses when multiple Member States are implicated by maintaining a single internal view of “who is the competent SA for this matter” and “who owns regulator communications.”

Article 55 is not asking you to “be competent.” It is defining supervisory authority competence. Your compliance obligation is to act in a way that respects that competence, by correctly identifying and engaging the right authority. (Regulation (EU) 2016/679, Article 55)

Plain-English interpretation (requirement-level)

Requirement: Maintain an operational method to identify the competent supervisory authority for GDPR matters affecting your processing footprint, and ensure regulatory communications and decisions follow that jurisdiction mapping. (Regulation (EU) 2016/679, Article 55)

What “good” looks like in practice

• You can answer, quickly and consistently: “Which SA is competent for this processing activity or incident, and why?”
• Your incident response, complaint handling, and regulator response procedures contain jurisdiction routing steps.
• Your privacy, security, and legal teams share one source of truth for SA contacts, language needs, and escalation paths.

Who it applies to (entity and operational context)

While Article 55 is addressed to supervisory authorities, it affects controllers and processors because you interact with those authorities and must follow the correct jurisdictional pathway. This becomes operationally relevant when you have:

• Establishments in more than one EU/EEA Member State
• Cross-border processing (employees, customers, or users in multiple Member States)
• Third parties processing personal data across EU locations (cloud hosting regions, support centers, analytics providers)
• A central privacy function coordinating multi-country operations

If your organization operates only in one Member State, Article 55 is simpler: your primary interaction is typically with that Member State’s SA. If you operate across borders, you need a repeatable competence determination and routing process. (Regulation (EU) 2016/679, Article 55)

What you actually need to do (step-by-step)

Step 1: Build a “role-and-scope” register that supports jurisdiction decisions

Create a register (spreadsheet, GRC system, or Daydream workspace) that ties together:

• Controller vs. processor role per processing activity
• Establishment locations (legal entities, branches)
• Processing locations (systems, data centers, support teams)
• Data subject footprint (Member States impacted)
• Key systems and third parties involved

This register is your anchor artifact for competence analysis and avoids the common failure mode where jurisdiction is decided ad hoc in an incident. (Regulation (EU) 2016/679, Article 55)

Step 2: Define a requirement-specific operating procedure (“SA competence determination & routing”)

Write a short SOP that answers:

• Owner: Who makes the competence call (usually Privacy/Legal with DPO input) and who executes communications (often Privacy Ops).
• Trigger events: Complaint received, DSAR escalation, breach triage, regulator inquiry, audit request, new Member State launch, new processing location, major third-party onboarding.
• Decision method: What inputs are required from Security, IT, HR, Product, and Procurement; what facts must be confirmed before selecting an SA.
• Approval workflow: Who signs off on the jurisdiction decision before external communications.

Keep it operational: one page is better than ten if the one page gets used. (Regulation (EU) 2016/679, Article 55)

Step 3: Create a “competence decision record” template

For each material matter (investigation, complaint, significant incident, formal inquiry), generate a decision record that captures:

• Issue summary and timeline
• Processing activities and systems involved
• Member States implicated and why
• Determined competent SA (and rationale)
• Communication plan (who contacts whom, by when, and in what language)
• Internal owner and legal review notes

Treat this like an incident postmortem document: concise, factual, and timestamped. (Regulation (EU) 2016/679, Article 55)

Step 4: Operationalize routing in your workflows (don’t leave it in a policy binder)

Embed competence routing into:

• Incident response runbooks: Add a checkpoint: “Confirm competent SA path before external notifications or regulator updates.”
• Complaint intake: Add fields for complainant Member State and impacted processing region.
• Third-party intake: Capture processing locations and subprocessor geographies so jurisdiction is not guessed later.

If you use Daydream, implement Article 55 as a mapped requirement with named control owners, trigger-based tasks (incident, complaint, onboarding), and an evidence packet checklist tied to each event. (Regulation (EU) 2016/679, Article 55)

Step 5: Maintain a regulator contact and communication log

Maintain a controlled list of:

• Supervisory authority contact channels and escalation points (where known)
• Internal authorized spokespersons
• Templates and translation pathway (if you operate multi-language)
• Communication log entries linked to the competence decision record

This avoids inconsistent messaging and supports continuity if staff changes. (Regulation (EU) 2016/679, Article 55)

Step 6: Define change triggers and review cadence

Set explicit triggers that force a refresh of jurisdiction mapping, such as:

• New EU establishment or closure
• Moving processing to a different Member State
• Adding a new high-impact third party with EU processing
• Launching a product into additional Member States

Run periodic reviews so your register and SA contact list remain current. (Regulation (EU) 2016/679, Article 55)

Required evidence and artifacts to retain

Keep an “Article 55 evidence packet” that a regulator, auditor, or customer due diligence team can understand without oral explanation:

Artifact	What it proves	Owner
Role-and-scope register (controller/processor, systems, locations, third parties)	You can determine jurisdiction from facts	Privacy/GRC
SA competence SOP (routing procedure)	Repeatability and accountability	Privacy Ops / Legal
Competence decision records 1	You made a reasoned determination	Legal / DPO
Regulator communication log	Consistent, auditable correspondence	Privacy Ops
Change trigger records (launches, infra moves, third-party onboarding)	You keep mapping current	Product/IT/Procurement

Retain these with version control and clear timestamps. (Regulation (EU) 2016/679, Article 55)

Common exam/audit questions and hangups

Expect questions like:

• “Which supervisory authority is competent for your EU processing footprint, and how do you determine that?” (Regulation (EU) 2016/679, Article 55)
• “Show the last time you assessed jurisdiction for a complaint or incident, and who approved it.” (Regulation (EU) 2016/679, Article 55)
• “How do you ensure third parties’ processing locations don’t change your competence assumptions?” (Regulation (EU) 2016/679, Article 55)
• “Where is this embedded in incident response, not just in privacy policy?” (Regulation (EU) 2016/679, Article 55)

Hangups you’ll see:

• Teams confuse “where the company is headquartered” with “where processing is supervised.”
• No single owner exists for regulator communications, so Security, Legal, and Support respond independently.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating Article 55 as non-applicable because it’s written about supervisory authorities.
   Fix: Treat it as a routing control. Your obligation is correct engagement and defensible jurisdiction determinations. (Regulation (EU) 2016/679, Article 55)

2. Mistake: No documented rationale for “competent SA” decisions.
   Fix: Require a decision record for material events. If it’s not written down, it won’t survive scrutiny. (Regulation (EU) 2016/679, Article 55)

3. Mistake: Mapping jurisdiction once, then never updating after business changes.
   Fix: Add change triggers to procurement, infrastructure change management, and market launch checklists. (Regulation (EU) 2016/679, Article 55)

4. Mistake: Ignoring third-party processing geography.
   Fix: Contractually require location transparency and keep subprocessor and hosting locations linked to processing activities. (Regulation (EU) 2016/679, Article 55)

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this page, so this section focuses on defensible risk outcomes rather than specific case citations. (Regulation (EU) 2016/679, Article 55)

Risk implications if you cannot operationalize Article 55

• Regulatory friction: inquiries bounce between authorities or you provide inconsistent responses across Member States.
• Timeline risk: delays while teams debate jurisdiction can disrupt incident handling and complaint response.
• Governance risk: fragmented communications create contradictions between Security, Legal, and Privacy, which can escalate supervisory attention.

Article 55 is a governance control that reduces confusion under pressure. (Regulation (EU) 2016/679, Article 55)

Practical 30/60/90-day execution plan

First 30 days (foundation)

• Name an executive owner for regulator engagement (often CCO/GC) and an operational owner (Privacy Ops).
• Build the first version of the role-and-scope register for EU processing and third parties.
• Draft the SA competence SOP and socialize it with Security IR, Legal, and Support. (Regulation (EU) 2016/679, Article 55)

Next 60 days (embed and test)

• Add competence routing fields to incident tickets and complaint intake forms.
• Create the decision record template and run a tabletop exercise: simulate a complaint or incident spanning multiple Member States.
• Stand up the regulator contact list and communication log with access controls. (Regulation (EU) 2016/679, Article 55)

Next 90 days (operational maturity)

• Integrate change triggers into procurement onboarding and IT change management.
• Run an internal audit on one closed matter (complaint, incident, inquiry): verify the evidence packet is complete end-to-end.
• If you manage requirements in Daydream, map Article 55 to tasks, owners, and recurring evidence collection so audits pull from one place. (Regulation (EU) 2016/679, Article 55)

Frequently Asked Questions

Does Article 55 apply to my company, or only to supervisory authorities?

The text defines supervisory authority competence, but you still need an operational way to identify and engage the correct authority for your processing footprint. This becomes critical during complaints, investigations, and incident handling. (Regulation (EU) 2016/679, Article 55)

What’s the minimum evidence I should keep for Article 55?

Keep a role-and-scope register, an SA competence/routing SOP, and decision records for any material matter where jurisdiction could be questioned. Add a regulator communication log for defensibility. (Regulation (EU) 2016/679, Article 55)

We operate in multiple EU countries. How do we prevent inconsistent regulator communications?

Assign a single operational owner for regulator communications and require a competence decision record before any substantive response. Route all inbound regulator contact through a controlled intake channel. (Regulation (EU) 2016/679, Article 55)

How should third-party processing be reflected in our competence analysis?

Track third-party processing locations and subprocessors in your register and tie them to the impacted processing activities. Add a trigger to reassess competence assumptions when a third party changes hosting region or support location. (Regulation (EU) 2016/679, Article 55)

What should we do if teams disagree internally on which supervisory authority is competent?

Use a documented decision workflow with Legal/DPO sign-off and record the rationale in the decision record. Treat the disagreement as a governance risk and close it with a timestamped determination. (Regulation (EU) 2016/679, Article 55)

How does Daydream help operationalize Article 55 without creating busywork?

Daydream works well when you map Article 55 to trigger-based tasks (incident, complaint, onboarding) and require an evidence packet per event. That setup reduces ad hoc routing and makes audit requests a document pull instead of a scramble. (Regulation (EU) 2016/679, Article 55)

Footnotes

1. Regulation (EU) 2016/679, Article 55