Under Article 58 of GDPR, supervisory authorities have investigative and corrective powers, including
the ability to access premises and equipment used for personal data processing.
Option B is correct because supervisory authorities can investigate controllers and processors,
including accessing IT systems.
Option A is incorrect because supervisory authorities do not appoint DPOs; controllers and
processors must do this themselves.
Option C is incorrect because supervisory authorities do not manage controllers’ or processors’ tasks.
Option D is incorrect because supervisory authorities do not pre-approve privacy policies.
Reference:
GDPR Article 58(1)(f) (Supervisory authorities can access premises and data)
Recital 129 (Authorities must have investigation powers)
