Overview
This article ensures cooperation between the lead supervisory authority and other concerned supervisory authorities to achieve consensus on decisions regarding cross-border processing. Cooperation involves the exchange of relevant information, joint investigations, and addressing objections to draft decisions. The lead authority communicates final decisions to the controller, processor, and other authorities involved.
Key Principles
Collaboration: Facilitate consensus among supervisory authorities on cross-border processing matters.
Information Exchange: Share relevant information, investigation results, and draft decisions.
Joint Operations: Conduct coordinated investigations and enforcement actions when necessary.
Transparency and Communication: Lead authority communicates decisions to all stakeholders, including controllers, processors, and other authorities.
Dispute Resolution: Address objections to draft decisions to reach a coordinated outcome.
Organizational Applicability
This article applies to:
Lead supervisory authorities overseeing cross-border processing of personal data.
Other supervisory authorities concerned with the processing within their Member State.
Controllers and processors subject to cross-border GDPR oversight.
Teams managing compliance, investigations, and international authority coordination.
Implementation Requirements
Establish procedures for cooperation, information sharing, and consensus-building between authorities.
Coordinate joint investigations and enforcement activities.
Review and address objections to draft decisions collaboratively.
Ensure timely communication of final decisions to controllers, processors, and authorities involved.
Implementation Guidance
Develop a standard operating procedure for cross-border authority cooperation.
Maintain secure channels for exchanging sensitive information.
Train staff on handling objections, joint investigations, and communication protocols.
Periodically review cooperation practices to ensure effective cross-border decision-making.
Periodic Review
Frequency: Annually or when new cross-border processing cases arise.
Responsible Role: Lead Supervisory Authority, Compliance Teams, or Legal.
Outcome: Ensure effective cooperation, timely decision-making, and coordinated enforcement across Member States.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for supervised entities.
Legal Exposure: Disputes or conflicting decisions due to poor coordination.
Reputational Damage: Loss of trust in supervisory authority efficiency and GDPR enforcement.