The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Procedures for the cooperation of supervisory authorities in Germany and Europe according to the GDPR

For controllers with an European establishment, the lead supervisory authority in the Member State of the main establishment is the sole contact point for cross-border data processing (one-stop shop principle). The European supervisory authorities concerned cooperate with each other to ensure uniform application of the law (cooperation procedures) and only the lead supervisory authority plays an active role towards the controller.

Shake hands and in the foreground are digital floating locks
Adobe Stock Source: ©VideoFlow - stock.adobe.com

Data protection authorities in whose area of competence further establishments of the controller are located are referred to as "supervisory authorities concerned". In addition, this designation applies to supervisory authorities with whom data subjects have lodged complaints or to authorities whose local competence covers an area where data subjects are residing who are likely to be substantially affected by the processing. At the beginning of each cooperation procedure, the supervisory authorities clarify among themselves who is the lead supervisory authority and who are the supervisory authorities concerned.

In Germany, the Independent German Federal and State Data Protection Supervisory Authorities take part in the cooperation procedure. If necessary, they will be assisted by the single contact point (ZASt), for example in determining the competent German supervisory authority/authorities or in clarifying national competence.

This is followed by the actual substantive case processing, for which the lead and supervisory authorities concerned exchange information on an ongoing basis. Subsequently the lead supervisory authority shall submit a draft decision on how it intends to close the procedure towards the controller (by discontinuing proceedings or issuing corrective measures according to Art. 58(2) GDPR).

If no consensus on the question which data protection supervisory authority is the lead supervisory authority or on the draft decision is reached at European level in the cooperation procedure, the consistency mechanism (Art. 63 et seq. GDPR) and in particular, the dispute resolution procedure (Art. 65 GDPR) must be carried out. In practice, this procedure is most commonly initiated if a supervisory authority concerned objects to the draft decision of the lead supervisory authority and the latter does not agree with the objection. In this case, the European Data Protection Board (EDPB), in which the European supervisory authorities have one vote per Member State, and the European Data Protection Supervisor is entitled to vote, will decide.

In the EDPB, Germany is represented by the joint representative or his deputy. If a common position on a voting item is drawn up by the Federal and the state supervisory authorities according to Section 18 BDSG, this must be the basis for the negotiations in the EDPB.

In order to determine the common position, the federal and state supervisory authorities cooperate with each other with the aim of reaching a consensual positioning. If this fails, a graduated decision-making procedure (Section 18 BDSG) takes place. The German position is ultimately determined by a majority decision. This process of national decision-making is coordinated by the single contact point (ZASt)

After the vote, the EDPB adopts a binding decision. If the objections are successful, the lead supervisory authority is instructed to adjust the draft decision accordingly.

The procedure ends with the lead supervisory authority issuing its own decision, adapted if necessary, to the controller. If the procedure was based on a complaint and the complaint was unsuccessful in whole or in part, the supervisory authority with whom the complaint was lodged shall issue the decision to the complainant. This will enable the latter to have the decision reviewed in the courts of the Member State where the complaint was lodged.

In addition to clarifying individual issues in the dispute resolution procedure, the EDPB also ensures the consistent application of the GDPR in other cases relating to the consistency mechanism. This is achieved by issuing opinions, for example in matters producing effects in more than one Member State (Art. 64 GDPR) or following temporary provisional measures adopted by supervisory authorities (Art. 66 GDPR).

Additional Information