In its ruling of 15 June 2021 in Case C-645/19, the CJEU (Grand Chamber) explained the conditions for the exercise of the powers of national supervisory authorities in cross-border processing of data. The judgment was based on the question of whether the Belgian data protection authority could take action against Facebook Belgium, although, since the entry into force of the GDPR, Facebook Ireland was the data processing entity and therefore only the Irish data protection commissioner would be authorised to bring injunctions under the control of the Irish courts. The CJEU held, that, under certain conditions, a national supervisory authority may exercise its power to bring alleged infringements of the GDPR before a court of that Member State (here: Belgium) even if it is not the lead authority in relation to that processing.

• Conditions for the exercise of powers by a national supervisory authority which does not have the status of lead supervisory authority in relation to an instance of cross-border processing: The GDPR must confer on that supervisory authority a competence to adopt a decision finding that the data processing in question infringes the GDPR and, in addition, this power must be exercised in compliance with the cooperation and consistency procedures provided for by the GDPR.
• The exercise of the power to bring an action does not require the data controller to have a main establishment or any other establishment in the territory of the Member State.
• The power of a national supervisory authority, other than the lead supervisory authority, to initiate legal proceedings may be exercised both in relation to the main establishment and in relation to another establishment.

Ultimately, the CJEU recognises that the national supervisory authority can directly rely on the GDPR in order to bring or continue a legal action against private parties, even though the underlying obligation in the GDPR to provide this power has not been specifically implemented in the legislation of the Member State concerned.