With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller’s or processor’s main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments of the controller or processor on their territory or through complaints from their residents against these processing activities. Indeed, data subjects should be able to easily pursue their data protection rights and should be able to complain to a supervisory authority at their place of habitual residence. This supervisory authority also remains the contact point for the complainant in the further course of the complaint-handling process. In order to meet all these requirements, Article 60 GDPR regulates the cooperation procedure between the lead supervisory authority and the other supervisory authorities concerned.
These guidelines handle the interactions of the supervisory authorities with each other, with the EDPB and with third parties under Article 60 GDPR. The aim is to analyse the cooperation procedure and to give guidance on the concrete application of the provisions.
A common understanding of the terms and basic concepts is a prerequisite for the cooperation procedure to run as smoothly as possible.
Firstly, the guideline states that:
- the cooperation procedure applies in principle to all cross-border processing cases,
- the lead supervisory authority is primarily responsible for handling such cases, without being empowered to ultimately decide on its own, and that
- the cooperation procedure does not impact the independence of the supervisory authorities,
which retain their own discretionary powers within the framework of cooperation.
It is recalled that the effects of national procedural regulations must not lead to limiting or hampering the cooperation under the GDPR.
Structure and Content of the guidelines
These guidelines are based on the requirements of Article 60 GDPR and clarify paragraph by paragraph the conditions arising from the regulation itself and its practical implementation.
In the context of Article 60(1) GDPR, it is established that the principles to be observed throughout the whole cooperation procedure are mutual obligations. It is stressed that while the achievement of consensus among the SAs is not an obligation, the endeavour to reach an agreed consensual decision is an overarching objective to be achieved through a mutual and consistent exchange of all relevant information. This exchange of information is obligatory for all CSAs, including the LSA. The meaning of “relevant” in this context is further clarified through examples. In terms of timeliness, the paper recommends sharing the relevant information proactively and as quickly as possible. Lastly, the possibility to use informal means of communication to reach consensus is recalled.
The following section on Article 60(2) GDPR addresses the situation of the LSA requesting CSA(s) to provide mutual assistance pursuant to Article 61 GDPR and conducting joint operations pursuant to Article 62 GDPR and provides guidance on the specifications of these instruments in the context of an ongoing cooperation procedure.
The paper addresses the process of the submission of the draft decision under Article 60(3) GDPR. It highlights that the LSA has to act proactively and as quickly as possible and that the CSAs should be able to contribute to the overall procedure, also before the creation of the draft decision (e.g. exchange of information). In addition, the LSA is required to submit a draft decision to the CSAs in all cases of cross border processing.
The sections on Article 60(4) GDPR, Article 60(5) GDPR and Article 60(6) GDPR outline the different scenarios that follow the submission of a draft decision by the lead supervisory authority and thus provide a consistent approach to the procedure between the submission of a (revised) draft decision and either the triggering of the binding effect in the absence of relevant and reasoned objections or the submission to the dispute resolution procedure. The guidelines also recognise the possibility for the LSA to adapt and resubmit the draft decision submitted under Article 60(4) GDPR prior to the expiry of the four-week period, provided that new factors or considerations justify such adaptation and that their importance is fairly balanced against the expediency of the cooperation procedure. In addition, it is specified that there may be multiple revised decisions but only in cases where it is likely to reach a consensus due to substantive convergence between the LSA and other CSA(s).
This is followed by the analysis of the different scenarios after the (revised) draft decision has become binding on the lead supervisory authority and the supervisory authorities concerned. It is clarified which supervisory authority has to adopt the final national decision pursuant to Article 60(7) GDPR, Article 60(8) GDPR and Article 60(9) GDPR on the basis of the draft decision that has become binding and which supervisory authority has to notify the controller/processor or the complainant. In this context, the distinction between notifying and informing is also addressed.
Furthermore, the guidelines address the important distinction between situations that constitute a dismissal/rejection of a complaint, with the consequence that the complaint-receiving SA adopts the final decision, and situations in which the lead supervisory authority acts on the complaint in relation to the controller, with the consequence that the lead supervisory authority adopts the final decision. In this context, it is highlighted that terms of EU law not making express reference to member state law must normally be given an autonomous and uniform interpretation.
The following section outlines the duties of the controller or processor to ensure that processing activities in all its establishments are in compliance with the final decision (Article 60(10) GDPR).
A quick reference guide annexed to the guidelines is intended to give practitioners in the supervisory authorities a quick overview of the procedure and to illustrate the complex procedure.