Article 92: Exercise of the delegation

Compliance teams get stuck on Article 92 because it sits inside GDPR but reads like it targets EU institutions, not organizations processing personal data. That’s correct: the article confers power on the European Commission to adopt delegated acts “subject to the conditions laid down in this Article” (Regulation (EU) 2016/679, Article 92). For a CCO or GRC lead, the practical obligation is indirect: you need a reliable way to detect when the Commission exercises that delegation and then translate any resulting change into updates to your GDPR program.

Operationally, this maps to regulatory change management, legal inventory maintenance, and control lifecycle management. If your team already runs a change process for new guidelines, regulator publications, or DPA decisions, add “delegated acts under GDPR” as a named source category with clear ownership and a defined evidence trail. The goal is defensibility: if a customer, auditor, or regulator asks how you stay current, you can show a consistent mechanism that converts EU-level legal changes into concrete changes in policies, procedures, contracts with third parties, and technical controls.

What the requirement is (plain-English interpretation)

Article 92: exercise of the delegation requirement is a statement about EU rulemaking authority. It says the European Commission has the power to adopt delegated acts under GDPR, and that power is constrained by conditions described in Article 92 (Regulation (EU) 2016/679, Article 92).

For an organization, the compliance meaning is practical:

• Article 92 itself doesn’t tell you to do a specific privacy task (like run a DPIA or sign a DPA).
• It does create change risk: delegated acts can modify or add details that affect what “good” looks like under GDPR over time.
• Your actionable control is therefore: monitor, assess, implement, and evidence any changes that result from the Commission exercising delegated powers under GDPR (Regulation (EU) 2016/679, Article 92).

If you already operate a GDPR program, you’re not “implementing Article 92” the way you implement data subject request workflows. You’re implementing a change-detection and translation mechanism that ensures your GDPR program keeps pace with legally binding downstream acts.

Who it applies to (entity and operational context)

Directly: EU institutions (the European Commission) are the subject of the article’s delegation language (Regulation (EU) 2016/679, Article 92).

Practically (for your program): Any organization that must comply with GDPR as a controller or processor should treat Article 92 as a regulatory change management requirement because delegated acts can alter compliance expectations (Regulation (EU) 2016/679, Article 92).

Operational contexts where this matters most:

• Multi-country GDPR programs where policy standardization is critical and changes must be rolled out consistently.
• High-change environments (fast product releases, frequent onboarding of third parties, new data sources) where legal updates must be quickly mapped to engineering and procurement.
• External assurance programs (SOC 2, ISO 27001, customer due diligence) where “how you stay current” is a recurring question, even when the underlying legal text is institutional.

Regulatory text

Excerpt: “The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.” (Regulation (EU) 2016/679, Article 92)

Operator translation (what you must do):

1. Identify Article 92 as a change trigger in your legal inventory: it signals that GDPR can be supplemented by delegated acts adopted by the Commission (Regulation (EU) 2016/679, Article 92).
2. Monitor for delegated acts affecting GDPR, then assess applicability to your processing activities and third-party relationships.
3. Implement updates (policies, procedures, contracts, training, technical controls) through your normal governance process, with documented approvals and effective dates.

What you actually need to do (step-by-step)

1) Define scope and ownership (one named owner, one backup)

• Assign an owner in Legal/Privacy for “EU delegated acts monitoring,” with a backup in GRC.
• Define your “in scope” boundary: GDPR delegated acts adopted by the Commission under the authority referenced in Article 92 (Regulation (EU) 2016/679, Article 92).
• Decide what counts as “impact”: policy changes, control design changes, contract template changes, product/engineering changes, third-party risk controls.

Deliverable: A short operating procedure and RACI that explicitly references Article 92 as the trigger for this monitoring stream (Regulation (EU) 2016/679, Article 92).

2) Build a “delegated acts watch” into regulatory change management

Add a dedicated input into your change management intake. Minimum viable workflow:

• Source monitoring: EUR-Lex monitoring for GDPR updates and acts connected to GDPR (Regulation (EU) 2016/679).
• Triage: log the item, tag it “delegated act candidate,” and route to Privacy Counsel for legal characterization.
• Applicability decision: decide “impacts us / does not impact us / unclear” with a short rationale.
• Impact assessment: map impacted controls, products, processing activities, and third parties.
• Implementation plan: create tasks for policy updates, engineering changes, contract addenda, and training if needed.
• Closeout and evidence: record completion, effective date, and residual risk acceptance if applicable.

If you use a GRC tool, implement this as a workflow template. If you don’t, a spreadsheet plus a ticketing queue still works if it’s consistent.

3) Maintain a GDPR role-and-scope register tied to change intake

You need a reliable map of “what we do” so you can quickly answer: “Does this change affect us?” Maintain a register that covers:

• Controller vs. processor role per product/service line
• Data categories and special categories if applicable
• Systems and subprocessors involved
• Cross-border transfer touchpoints
• Key third parties that support processing (cloud, support tooling, analytics, payment providers)

This aligns with the provided best-practice control: maintain a GDPR role-and-scope register (Regulation (EU) 2016/679, Article 92).

4) Translate change into control updates (control library discipline)

When a delegated act (or a candidate) appears:

• Identify the controls that would be affected (privacy governance, records of processing, third-party risk, security, retention, DSAR operations).
• Update the control statement and test steps.
• Update policy language and contract templates (DPAs, SCC appendices if your templates reference evolving legal sources).
• Push changes to operational owners with acceptance criteria.

Practical tip: treat this like a mini “policy-to-control-to-test” release. Compliance fails when the policy gets updated but the operational playbooks and evidence collection do not.

5) Evidence on a recurring cadence (defensibility)

Retain an “evidence packet” each time you evaluate a change event:

• Intake record (what was detected, date, source link)
• Legal characterization (delegated act vs. other instrument)
• Applicability memo (why it does or does not apply)
• Impact assessment (systems, data, third parties, controls impacted)
• Approvals (Privacy, Security, Product, Procurement as relevant)
• Implementation proof (updated policy version, training notice, config change ticket, contract template version)
• Exceptions and remediation plan if you can’t implement immediately

This matches the recommended approach: retain auditable evidence packets (Regulation (EU) 2016/679, Article 92).

Required evidence and artifacts to retain (audit-ready list)

Use this checklist as your minimum audit set:

• Regulatory change log with entries tagged to GDPR delegated acts monitoring (Regulation (EU) 2016/679, Article 92)
• Documented procedure for monitoring and triage (owner, frequency, escalation path)
• Role-and-scope register (controller/processor mapping, systems, third parties)
• Decision records for each item (applicable/not applicable + rationale)
• Impact assessment template with control mapping
• Change approvals and sign-off trail
• Revised controlled documents (policy/procedure versions, contract templates)
• Implementation tickets and validation evidence
• Residual risk acceptance where you defer or partially implement

Common exam/audit questions and hangups

What auditors and customers often ask (and what they mean):

1. “How do you keep GDPR requirements up to date?”
   They want evidence of monitoring sources, triage, and implementation tracking tied to GDPR (Regulation (EU) 2016/679).
2. “Show me an example of a regulatory change you processed.”
   Have a completed packet ready, even if it’s a “no impact” determination, as long as the rationale is clear.
3. “Who signs off on applicability?”
   Name the role (Privacy Counsel/DPO) and show the workflow approvals.
4. “How do third parties get updated when requirements change?”
   Point to procurement intake, contract template governance, and subprocessor management controls.

Hangup to expect: Article 92 is institutional text. Your answer should explicitly say you operationalize it through change management because it governs how GDPR can be supplemented (Regulation (EU) 2016/679, Article 92).

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating Article 92 as a “do this privacy task” requirement.
   Fix: classify it as regulatory change governance in your control library, with clear inputs/outputs.

2. Mistake: No role-and-scope mapping, so every change becomes a fire drill.
   Fix: maintain the controller/processor and system scope register so applicability decisions take hours, not weeks.

3. Mistake: Policy updates without operational closure.
   Fix: require evidence of downstream tasks (tickets, config changes, contract template versions) before closing the change record.

4. Mistake: No auditable rationale for “no impact.”
   Fix: record the rationale in a standard template. “Reviewed, no changes required” without analysis fails diligence.

Enforcement context and risk implications

No specific public enforcement cases are provided here, and Article 92 is not typically the article cited in fines because it governs Commission delegation mechanics rather than controller/processor behaviors (Regulation (EU) 2016/679, Article 92). Your risk is indirect but real:

• Regulatory drift risk: you can fall out of alignment if GDPR is supplemented and you miss the update.
• Assurance risk: customers and auditors may view weak regulatory monitoring as a governance deficiency, even without a specific enforcement action.
• Third-party risk: if changes affect contract terms or accountability expectations, you need a mechanism to push updates into third-party onboarding and renewals.

A practical 30/60/90-day execution plan

You asked for speed and operationalization; use phased implementation rather than calendar-day promises.

First 30 days (Immediate foundation)

• Assign owner and backup; publish a short SOP for “GDPR delegated acts monitoring” tied to Article 92 (Regulation (EU) 2016/679, Article 92).
• Stand up a regulatory change log (even a controlled spreadsheet).
• Build your role-and-scope register baseline: top products, key systems, key third parties.

By 60 days (Workflow + evidence)

• Implement intake-to-close workflow in your ticketing/GRC system.
• Create templates: applicability memo, impact assessment, evidence packet checklist.
• Run a tabletop: simulate a delegated-act change notice and walk it through triage, mapping, approvals, and closure.

By 90 days (Operationalize and integrate)

• Integrate the workflow with procurement and third-party management: renewal triggers, template governance, subprocessor review.
• Add periodic management reporting: open regulatory items, time-to-decision, overdue implementation tasks.
• If you use Daydream for third-party risk and GRC execution, connect your change log entries to impacted third parties and controls so the evidence packet is assembled consistently across Legal, Security, and Procurement.

Frequently Asked Questions

Does Article 92 create a direct obligation for my company?

Article 92 is directed at the European Commission’s power to adopt delegated acts, not day-to-day controller/processor operations (Regulation (EU) 2016/679, Article 92). Your practical obligation is to monitor for resulting legal changes and implement them through your change management process.

What should I show an auditor if they ask about Article 92?

Show your regulatory change management procedure and change log entries demonstrating you monitor GDPR updates and document applicability and impact decisions (Regulation (EU) 2016/679, Article 92). Include at least one completed evidence packet.

How do I connect Article 92 to third-party risk management?

Treat delegated acts as a trigger to review whether contract templates, DPAs, and subprocessor controls need updates. Your evidence should show that procurement and third-party owners received and implemented required changes.

We already monitor EDPB guidance and DPA decisions. Is that enough?

It covers a major part of GDPR change risk, but Article 92 points to delegated acts adopted by the Commission (Regulation (EU) 2016/679, Article 92). Add Commission/EUR-Lex monitoring as an explicit source stream so you can evidence coverage.

What’s the minimum viable artifact set if we’re small?

Maintain a change log, a short SOP with named owners, a role-and-scope register, and a standard “applicability + impact” template. Keep these in a controlled location with version history.

Who should approve “no impact” determinations?

Privacy Counsel or the DPO should approve the legal characterization and applicability rationale, with GRC maintaining the record. If the item could affect security controls or third parties, include Security and Procurement as reviewers.