GDPR : Article 92 - Exercise of the Delegation

by Sneha Naskar

The General Data Protection Regulation (GDPR) is a landmark piece of legislation that has significantly impacted the way organizations handle personal data. Article 92 of the GDPR is a crucial provision that addresses the exercise of delegation within the framework of data protection. In this blog post, we will delve into the intricacies of Article 92 GDPR, exploring its importance, implications, and how it affects businesses and data protection authorities.

Impact on Businesses and Data Protection Authorities

Understanding Article 92 GDPR

Article 92 of the GDPR focuses on the exercise of delegation by the European Commission. Delegation, in this context, refers to the act of transferring certain tasks or responsibilities related to data protection to other entities, such as supervisory authorities or the European Data Protection Board (EDPB). This provision empowers the European Commission to adopt delegated acts concerning specific issues within the GDPR's scope.

The purpose of delegation, as outlined in Article 92, is to ensure the consistent and harmonized application of the GDPR across the European Union (EU). It aims to establish a structured and efficient mechanism for adapting and updating the GDPR as necessary, while maintaining a high level of data protection for individuals.

Key Aspects of Article 92 GDPR

  • Delegated Acts: Article 92 specifies that the Commission may adopt delegated acts concerning:
  • Supplementary rules regarding the principles and rights of data subjects.
  • Rules on the information to be provided to data subjects.
  • Rules on the safeguarding of personal data in specific situations, such as data processing for archiving purposes.

This grants the Commission the authority to refine and expand upon the GDPR's provisions in these areas, ensuring they remain effective and relevant in the ever-evolving digital landscape.

  • Consultation: The Commission must consult the EDPB before adopting any delegated acts. This consultation process involves seeking the expertise and input of the EDPB, which is composed of representatives from national data protection authorities. This ensures that decisions made through delegation are well-informed and reflective of the collective expertise of data protection authorities from different EU member states.
  • Transparency and Accountability: Article 92 of GDPR also emphasizes transparency and accountability in the delegation process. Any delegated acts adopted by the Commission must be published, and the Commission must inform the European Parliament and the Council of the EU regarding its intention to adopt such acts. This transparency ensures that stakeholders and the public are aware of any changes or additions to data protection rules.
  • Parliamentary Scrutiny: While the Commission has the authority to adopt delegated acts, Article 92 also stipulates that the European Parliament and the Council of the EU have the right to object to these acts within a specified timeframe. This parliamentary scrutiny serves as a check and balance mechanism, ensuring that delegated acts align with the broader interests and values of the EU.

Implications and Significance of Article 92 GDPR

  • Adaptability: One of the primary implications of Article 92 is its role in maintaining the adaptability of the GDPR. Technology and data practices are constantly evolving, and the GDPR needs to remain relevant and effective in addressing new challenges. Delegation allows for the timely incorporation of necessary changes and refinements to data protection rules.
  • Expertise and Collaboration: By requiring consultation with the EDPB, Article 92 promotes collaboration and the exchange of expertise among EU member states. This ensures that data protection decisions are made with a comprehensive understanding of the diverse perspectives and needs of different countries.
  • Accountability and Oversight: The provision for parliamentary scrutiny enhances the accountability of the Commission. It prevents any undue concentration of power and ensures that delegated acts align with the democratic values of the EU. This mechanism reinforces the EU's commitment to protecting the rights and interests of its citizens.
  • Legal Certainty: Article 92 of GDPR contributes to legal certainty by providing a structured framework for making adjustments to the GDPR. This is essential for organizations subject to the regulation, as they need clear and consistent rules to comply with when handling personal data.
GDPR Implementation Toolkit

Impact on Businesses and Data Protection Authorities

For businesses operating within the EU and data protection authorities, Article 92 GDPR has several noteworthy implications:

  • Compliance Requirements: Businesses must remain vigilant regarding changes and updates to the GDPR resulting from delegated acts. They must stay informed about new rules and obligations that may affect their data processing activities.
  • Consultation Involvement: Data protection authorities, as part of the EDPB, play a crucial role in the consultation process. They have the opportunity to contribute their expertise and insights, shaping the direction of delegated acts. This involvement ensures that the interests of both individuals and businesses are considered.
  • Accountability and Oversight: Data protection authorities have a responsibility to monitor the exercise of delegation closely. They can raise objections if they believe that delegated acts may not align with the GDPR's core principles or data protection rights.
  • Education and Awareness: Businesses should invest in ongoing education and awareness initiatives to ensure their teams are well-informed about changes in data protection regulations. This proactive approach can help prevent compliance issues and potential penalties.


Article 92 of the GDPR represents a critical mechanism for the ongoing adaptability, transparency, and accountability of data protection rules in the European Union. By allowing for the delegation of specific tasks and responsibilities, this provision ensures that the GDPR remains effective in addressing evolving data challenges. It underscores the collaborative efforts of data protection authorities and democratic oversight through parliamentary scrutiny, maintaining a balance between uniformity and flexibility. For businesses, staying informed and engaged in the delegation process is essential to navigate the dynamic landscape of data protection successfully. Article 92 stands as a testament to the EU's commitment to safeguarding individuals' privacy rights in an ever-changing digital world.

GDPR Implementation Toolkit