Procedures for the cooperation of supervisory authorities in Germany and Europe according to the GDPR
For controllers with a European establishment, the lead supervisory authority in the Member State of the main establishment is the sole contact point for cross-border data processing (one-stop shop principle). The European supervisory authorities concerned cooperate with each other to ensure uniform application of the law (cooperation procedures) and only the lead supervisory authority plays an active role towards the controller.
Data protection authorities in whose area of competence further establishments of the controller are located are referred to as "supervisory authorities concerned". In addition, this designation applies to supervisory authorities with whom data subjects have lodged complaints or to authorities whose local competence covers an area where data subjects are residing who are likely to be substantially affected by the processing.
In Germany, the supervisory authorities of the federal and state governments take part in the cooperation procedure. If necessary, they will be assisted by the single contact point (ZASt), for example in determining the competent German supervisory authority/authorities or in clarifying national competence.
If no consensus is reached at European level in the cooperation procedure, the consistency mechanism (Art. 63 et seq. GDPR) and in particular, the dispute resolution procedure (Art. 65 GDPR) ) must be carried out. This procedure is initiated if a supervisory authority concerned objects to the draft decision of the lead supervisory authority and the latter does not agree with the objection. In this case, the European Data Protection Board (EDPB), in which the European supervisory authorities have one vote per Member State, and the European Data Protection Supervisor is entitled to vote, will decide.
In the EDPB, Germany is represented by the joint representative or his deputy, who, are bound by a common position drawn up by the Federal and the state supervisory authorities, when casting their vote.
In order to determine the common position, the federal and state supervisory authorities cooperate with each other with the aim of reaching a consensual positioning. If this fails, a graduated decision-making procedure (Section 18 BDSG) takes place. The German position is ultimately determined by a majority decision. This process of national decision-making is coordinated by the single contact point (ZASt).
After the vote, the EDPB adopts a binding decision. If the objections are successful, the lead supervisory authority is instructed to adjust the draft decision accordingly. In implementing the EDPB decision, the lead supervisory authority shall issue its own decision, adapted if necessary, to the controller. If the procedure was based on a complaint and the complaint was unsuccessful in whole or in part, the supervisory authority with whom the complaint was lodged shall issue the decision to the complainant. This will enable the latter to have the decision reviewed in the courts of the Member State where the complaint was lodged.
In addition to clarifying individual issues in the dispute resolution procedure, the EDPB also ensures the consistent application of the GDPR in other cases relating to the consistency mechanism. This is achieved by issuing opinions, for example in matters producing effects in more than one Member State (Art. 64 GDPR) or following temporary provisional measures adopted by supervisory authorities (Art. 66 GDPR).