Overview
This article establishes that the supervisory authority of the controller’s or processor’s main establishment acts as the lead authority for cross-border processing, as defined in Article 60. Other supervisory authorities may handle local complaints or infringements, but must inform the lead authority within three weeks. The lead authority decides whether to handle the case or delegate it to the informing authority in accordance with Articles 61 and 62.
Key Principles
Lead Authority Role: Central authority for cross-border processing decisions.
Local Authorities: Handle local complaints or infringements but notify the lead authority.
Timely Communication: Inform the lead authority within three weeks of local issues.
Decision and Delegation: The lead authority determines case handling or delegates responsibility appropriately.
Coordination: Ensures consistent application of GDPR across Member States for cross-border activities.
Organizational Applicability
This article applies to:
Supervisory authorities involved in cross-border processing of personal data.
Controllers or processors with establishments in multiple EU Member States.
Teams responsible for coordinating compliance, enforcement, and regulatory communications.
Implementation Requirements
Identify the main establishment of the controller or processor for lead authority determination.
Establish procedures for informing and coordinating with the lead authority.
Respond to inquiries or requests from the lead authority within specified timelines.
Document decisions on delegation, handling, or cooperation with other authorities.
Implementation Guidance
Maintain a register of cross-border processing activities and lead authority assignments.
Train staff to understand roles, timelines, and coordination processes among authorities.
Implement communication channels to facilitate notifications within three weeks.
Review delegation and handling procedures periodically to ensure compliance with Articles 61 and 62.
Periodic Review
Frequency: Annually or when cross-border processing activities or authority assignments change.
Responsible Role: Data Protection Officer (DPO), Compliance Team, or Legal.
Outcome: Ensure lead authority coordination is effective, timely, and consistent with GDPR.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for non-compliant controllers or processors.
Legal Exposure: Disputes over authority competence or delayed notifications.
Reputational Damage: Loss of trust due to mismanagement of cross-border compliance.
Operational Risk: Ineffective coordination may result in conflicting regulatory actions or enforcement challenges.