The role of supervisory authorities involved

Organisations that carry out cross-border processing operations have to deal with one data protection supervisory authority. This is the lead supervisory authority. On this page you can read what the rules are for who the lead supervisory authority is. And how you can determine yourself who the lead supervisory authority is for your organisation.

On this page

Who are the supervisory authorities involved?

Supervisory authorities involved are:

  • the supervisory authorities of the EU Member States in which the controller or processor has an establishment;
  • the supervisory authorities of the EU Member States where data subjects are (probably) substantially affected by the cross-border processing;
  • the supervisory authorities of EU Member States where a complaint has been lodged.

Cooperation

The lead supervisory authority coordinates the work, involves the other supervisory authorities in the case, and submits draft decisions to the supervisory authorities involved. Supervisory authorities can also conduct a joint investigation on site at establishments in one or more EU Member States.

Difference of opinion 

The lead supervisory authority and the supervisory authorities involved share all relevant information with each other and aim to reach one decision. Do the supervisory authorities differ in opinion? Then the European Data Protection Board (EDPB) may take a binding decision. The lead supervisory authority has to abide by this decision.

Independently handling a case

By way of exception, the lead supervisory authority may decide that a cross-border case in fact only has consequences in one Member State. In that case, the lead supervisory authority may give the supervisory authority involved of this Member State permission to address the case independently outside the one-stop shop mechanism.