The GDPR establishes a general framework for cooperation between supervisory authorities and provides more specific rules on the cooperation of supervisory authorities in cross-border activities of data processing.
Under the GDPR supervisory authorities shall provide mutual assistance and share relevant information to implement and apply the regulation in a consistent manner. This includes the requested supervisory authority carrying out consultations, inspections and investigations. Supervisory authorities can carry out joint operations, including joint investigations and joint enforcement measures whereby staff of all supervisory authorities are involved.
In the EU, controllers and processors increasingly operate at a transnational level. This requires close cooperation between the competent supervisory authorities in Member States to ensure that personal data processing complies with the requirements of the GDPR. Under the regulation’s ‘one-stop-shop’ mechanism, if a controller or processor has establishments in several Member States, or if it has a single establishment but the processing operations substantially affect data subjects in more than one Member State, the supervisory authority of the main (or single) establishment is the lead authority for controller’s or processor’s cross-border activities. Lead authorities have the power to take enforcement action against the controller or processor. The one-stop-shop mechanism aims to improve harmonization and the uniform application of EU data protection law across different Member States. It is also beneficial for businesses, as they only need to deal with the lead authority rather than with several supervisory authorities. This enhances legal certainty for businesses and, in practice, should also mean that decisions are taken faster and that businesses are not faced with different supervisory authorities imposing conflicting requirements on them.
Identifying the lead authority entails determining the location of the main establishment of a business in the EU. The term ‘main establishment’ is defined in the GDPR. In addition, the Article 29 Working Party has issued guidelines for identifying a controller or processor’s lead supervisory authority, which include the criteria for identifying the main establishment.
To ensure a high level of data protection throughout the EU, the lead supervisory authority does not act alone. It must cooperate with the other supervisory authorities concerned to adopt decisions on personal data processing by controllers and processors, in an endeavour to reach consensus and ensure consistency. Cooperation among the relevant supervisory authorities includes exchanging information, mutually assisting each other, conducting joint investigations and monitoring activities. When providing mutual assistance to each other, supervisory authorities must accurately deal with information requests made by other supervisory authorities and exercise supervisory measures, such as, for example, prior authorizations and consultations with the data controller on its processing activities, inspections or investigations. Mutual assistance to supervisory authorities in other Member States must be provided on request without undue delay and no later than one month after receiving the request.
Where the controller has establishments in multiple Member States, the supervisory authorities can conduct joint operations including investigations and enforcement measures in which staff members of the supervisory authorities of other Member States are involved.
Cooperation between different supervisory authorities is an important requirement under CoE law as well. Modernized Convention 108 provides that supervisory authorities must cooperate with one another to the extent necessary to perform their tasks. This should be done, for instance, by providing each other with any relevant and useful information and by coordinating investigations and conducting joint actions.