Introduction
This guide will assist in-house counsel, private practice lawyers and risk and compliance teams with the steps their organisation should take when faced with a dawn raid by a European Union member state supervisory authority.
This guide covers the following:
- Overview – legal framework
- What is a dawn raid and what powers may a supervisory authority have?
- What process must a supervisory authority follow?
- What rights do organisations have?
- What should you do when faced with a dawn raid?
- What can happen following the raid?
- An example of a supervisory authority using its dawn raid power
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This How-to guide can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
Section 1 – Overview – legal framework
This guide covers the requirements under:
- Regulation 2016/679 – General Data Protection Regulation (EU GDPR) (in relation to certain aspects such as penalties in very general terms); and
- the EU GDPR as it forms part of the domestic law in EU member states.
This guide is not intended to address UK-specific data protection law requirements. However, it should be noted that that the UK retained the EU GDPR in domestic law after Brexit (commonly referred to as the ‘UK GDPR’) with necessary changes to accommodate domestic areas of UK law. Therefore, where the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist to provide a helpful overview of the subject matter of this guide.
Some EU member states’s laws provide a legislative basis for their regulators and supervisory authorities to perform dawn raids while other EU member states do not. The UK is recognised as a high-profile common law jurisdiction with a legal regime that provides its supervisory authority with powers to rely on the use of dawn raids as an investigatory tool. France is an example of a civil law jurisdiction with a legal regime that provides its supervisory authority with similar investigatory powers.
Which investigatory steps to take, depends on both the circumstances of the specific case and the requirements under national procedural law. Since at EU member state level the investigatory powers of a supervisory authority vary, this makes analysis of the relevant dawn raid requirements difficult to standardise. As a result, analysis of any particular EU member state’s supervisory authority dawn raid investigatory powers does not form part this guide.
Section 2 – What is a dawn raid and what powers may a supervisory authority have?
Dawn raids are an unscheduled or surprise visit from supervisory authorities at an office, private residence or location where it is believed that relevant evidence can be collected. Dawn raids are typically carried out where there is a risk that evidence will be destroyed or altered if advance warning of an inspection is given. Often other preliminary enforcement action, such as an information or assessment notice, has not been fully complied with by the organisation.
Article 57(1)(f), EU GDPR read in conjunction with articles 77 and 78, EU GDPR implies an individual right to have every complaint (if deemed admissible by the relevant supervisory authority) handled and investigated to the extent appropriate to reach an outcome appropriate to the nature and circumstances of that complaint. However, it falls within the discretion of each relevant supervisory authority to decide the extent to which a complaint should be investigated.
The term ‘to the extent appropriate’ referred to in article 57(1)(f), EU GDPR provides the relevant supervisory authority with a margin of discretion regarding the extent or depth of the investigation needed. Where investigatory steps are taken, these should be appropriate, necessary and proportionate, taking into account the circumstances of the case.
In an internal document that has been publicly released in the interests of transparency, the European Data Protection Board (EDPB) provides a more in-depth insight into supervisory authority duties in relation to alleged GDPR infringements.
A supervisory authority’s enforcement powers may (depending on the relevant EU member state) include the ability to carry out an inspection without notice (a dawn raid). Subject to the supervisory authority obtaining a warrant or similar legal or court permission, a supervisory authority may be permitted to (depending on the applicable EU member state law – common law and civil law procedures and requirements differ):
- enter and search the premises of any controller or processor;
- inspect and seize documents and order staff to make copies that can be taken away;
- observe processing;
- inspect, examine, operate and test any equipment found on the premises used or intended to be used for the processing of personal data; and
- interview individuals, including requiring them to give explanations of information.
An information notice may be issued under relevant EU member state law requiring:
- a controller or a processor to provide information that the relevant supervisory authority reasonably requires to carry out its functions under data protection laws; or
- any person to provide information reasonably required for the purpose of investigating a range of offences and other compliance failures.
In order to have sufficient legal standing, extensive powers will need to exist in the jurisdiction of the relevant supervisory authority such as requiring a controller or processor to allow the supervisory authority onto the premises to be shown documents, information and equipment; to inspect them, be given copies and explanations; and to interview staff and observe processing operations. Prescribed procedural requirements will likely have to be followed in relation to notices together with stated restrictions on their effect (such as where legal professional privilege applies).
Section 3 – What process must the supervisory authority follow?
Typically, a supervisory authority would need to apply to a judge of an appropriate court for a warrant to enter and inspect the controller’s or processor’s premises without notice. For this to be granted, the relevant supervisory authority would be required to show (as a minimum) that:
- there are reasonable grounds for suspecting that the controller or processor has failed to comply with certain provisions of the EU GDPR (ie, data processing principles, data subject rights, controller and processor obligations, personal data breach notifications, and international data transfers); or an offence under domestic data protection laws is being committed; and
- evidence of such an infringement or offence will be found on the premises or on equipment at the premises; or alternatively
- the controller or processor has failed to comply with a notice previously served on it (ie, for an inspection with notice).
The judge must be satisfied that the supervisory authority is justified in requiring urgent access to the premises and that giving the controller or processor advance notice would defeat the object of the inspection.
Section 4 – What rights do organisations have?
A supervisory authority’s powers to request information can be broad, but an organisation may claim exemption for the following:
- parliamentary privilege – the powers of inspection and seizure conferred by a relevant warrant are not exercisable where this would involve an infringement of the privileges of a member state’s parliament; or
- privileged communications – there is no general exemption for legally privileged or confidential material, but there are restrictions relating to information in respect of communications:
- between a professional legal adviser and their client in connection with legal advice about obligations, liabilities and rights under data protection legislation (attorney–client privilege); or
- in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and for the purposes of such proceedings.
However, the privileged communications exemption does not typically apply to:
- anything in the possession of a person other than the professional legal adviser or their client; or
- anything held with the intention of furthering a criminal purpose.
Section 5 – What should you do when faced with a dawn raid?
When faced with a dawn raid, you should:
- be prepared – have a plan or policy for dealing with dawn raids;
- seek legal counsel immediately;
- check the scope of the warrant and ensure the inspection is limited to that;
- ensure that any information exempt from disclosure is excluded from the inspection (see section 4 above); and
- ensure staff are properly briefed on how to respond to questions from the supervisory authority’s investigators and that any interviews are conducted with legal counsel present – be aware that not answering the supervisory authority’s questions or giving false answers may be recognised as an offence under relevant member state data protection law (see section 6 below).
Section 6 – What can happen following the raid?
While the investigation is ongoing, the supervisory authority can request further information to clarify matters or explain documents seized during the raid – this may be done by issuing further information notices.
Once the investigation has been concluded, if the controller or processor is found to have infringed data protection laws, the supervisory authority can use its other enforcement powers to impose a penalty notice for an administrative fine – there are two tiers of fines, depending on the nature of the infringement:
- the higher of €10 million, or 2% of global annual turnover in the preceding financial year (article 83(5), EU GDPR); and
- the higher of €20 million, or 4% of worldwide global turnover in the preceding financial year (article 83(5) and (6), EU GDPR).
In addition, or as an alternative, the supervisory authority may issue an enforcement notice requiring the controller or processor to suspend or cease a particular processing operation, or to take or refrain from taking certain other actions.
The member state law of the relevant supervisory authority may provide for a variety of offences related to not cooperating with the supervisory authority, such as:
- making false statements in response to information notices; and
- destroying or falsifying information and documents in response to a notice.
Depending on the laws in effect in the relevant member state, these offences could attract criminal liability and can apply to the corporate body and to individual directors.
Section 7 – An example of a supervisory authority using its dawn raid power
These powers are not used frequently but a well-known example was when prior to the UK’s departure from the EU, the UK’s supervisory authority, the ICO, obtained a warrant to search the Cambridge Analytica offices in May 2018 for infringements related to targeted political advertising. Following a lengthy investigation, the ICO was unable to take enforcement action against the company because it had ceased trading. However, the regulator said that it would have done so if Cambridge Analytica was still operating, and it has taken action against other parties involved in its broader investigations into the use of personal data in political campaigning.
Additional resources
CNIL Sanctions and Corrective Measures 2024
EDPB Guidelines on the Calculations of Administrative Fines
The Law Society – GDPR in practice: ICO enforcement powers
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.