1. Each supervisory authority shall have all of the following investigative powers:
(a) 命令控管者、處理者，以及若有控管者或處理者之代表時，該等 代表提供任何其執行任務所需之資訊；
(a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
(c) 進行依第 42 條第 7 項核發之認證的審查；
(c) to carry out a review on certifications issued pursuant to Article 42(7);
(d) to notify the controller or the processor of an alleged infringement of this Regulation;
(e) 自控管者或處理者獲得接近使用個人資料以及執行其任務所需之 所有資訊；
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
(f) 依歐盟或會員國程序法，得進入控管者或處理者之任何辦公處所， 包括接近使用任何資料處理設備及方式。
(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
2. Each supervisory authority shall have all of the following corrective powers:
(a) 當欲進行之資料處理可能會違反本規則之規定時，向控管者或處 理者發布警告；
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) 當資料處理已違反本規則之規定時，對控管者或處理者發布告 誡；
(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
(c) 命令控管者或處理者遵循資料主體行使其依本規則之權利的要 求；
(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
(d) 命令控管者或處理者以適當之特定方法及於特定期間內使資料 處理符合本規則之規定；
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) 命令依第 16 條、第 17 條及第 18 條對個人資料之更正或刪除， 或對資料處理之限制，以及對個人資料依照第 17 條第 2 項及第 19 條 被揭露之接收者就該等行動之通知；
(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
(h) 撤銷或命令認證機構撤銷依第 42 條及第 43 條所為之認證，或若 認證之要件不具備或不再具備時，命令認證機構不得核發認證；
(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
(i) 依個案情形，額外或不以本項所提及之其他方式而依第 83 條處以 行政罰鍰；
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.
3. Each supervisory authority shall have all of the following authorisation and advisory powers:
(a) 依第 36 條之事前諮詢程序建議控管者；
(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;
(b) 對國會、會員國政府、依會員國法對其他公共團體、機構及大眾 主動或依請求發布針對任何與個人資料保護相關之議題的意見；
(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
(c) 若會員國法要求事前授權時，授權第 36 條第 5 項所述之資料處 理；
(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
(d) 發布意見並核准第 40 條第 5 項所述之行為守則草案；
(d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
(f) 依第 42 條第 5 項發布認證並核准認證之標準；
(f) to issue certifications and approve criteria of certification in accordance with Article 42(5);
(g) 採用第 28 條第 8 項及第 46 條第 2 項第 d 點所述之標準資料保護 條款；
(g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(h) 授權第 46 條第 3 項第 a 點所述之契約條款；
(h) to authorise contractual clauses referred to in point (a) of Article 46(3);
(i) 授權第 46 條第 3 項第 b 點所述之行政安排；
(i) to authorise administrative arrangements referred to in point (b) of Article 46(3);
4. 監管機關行使本條賦予之權力應有適當保護措施，包括歐盟法及 會員國法依憲章所規定之有效之司法救濟及正當程序。
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. 各會員國應有法律規定監管機關應有權力將本規則之違反檢送司 法機關，並於適當時開啟或參與司法程序，以執行本規則之規定。
5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(129) 為確保本規則於歐盟境內一致之監督及執行，監管機關於各會 員國境內應有相同之任務及有效之權力，尤其在當事人之申訴案件中，應有包括調查之權力、矯正及制裁之權力，以及批准及建議之權力， 且對於檢察機關在會員國法所擁有之權力不生影響，而應將本規則之 違反檢送至司法機關並參與法律程序。該等權力亦應包括對資料處理 課予一暫時或終局之限制，包括禁令。會員國得具體化其他依照本規 則所定與個人資料保護有關之任務。監管機關之權力行使應依歐盟法 及會員國法所定適當之程序性保護措施於合理期限內公平、公正為之。 尤其，每個措施應具備適當性、必要性及比例性，以確保本規則之遵 循、考量個別案件之情況，並尊重任何人在對其有不利影響之任何個 別措施被實施前有請求聽審之權利，且避免對該人造成無謂之花費及 過度之不便。進入處所之調查權應依照會員國程序法之特別規定為之， 例如事先取得司法授權之要求。監管機關所為具法律拘束力之各措施 皆應以書面為之，且應明確清楚，並指出做成該措施之監管機關名稱、 日期、首長或其授權之監管機關成員之署名以及為該措施之理由，並 敘明有尋求有效救濟之權利。此不應排除依據會員國程序法所規定之 額外要求。通過一個具法律拘束力之裁決意味著其可能引起作成該裁 決之監管機關所在會員國的司法審查。
(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.
CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).