The role of concerned supervisory authorities
The lead supervisory authority handling a cross-border case does not work alone. The lead supervisory authority cooperates with the data protection supervisory authorities of the other EU countries where the data processing has impact. These other supervisory authorities are called the concerned supervisory authorities.
On this page
Who are the concerned supervisory authorities?
Supervisory authorities concerned are:
- the supervisory authorities of the EU Member States in which the controller or processor has an establishment;
- the supervisory authorities of the EU Member States where data subjects are (probably) substantially affected by the cross-border processing;
- the supervisory authorities of EU Member States where a complaint has been lodged.
Cooperation
The lead supervisory authority coordinates the work, involves the other supervisory authorities in the case, and submits draft decisions to the concerned supervisory authorities. Supervisory authorities can also conduct a joint investigation on site at establishments in one or more EU Member States.
Difference of opinion
The lead supervisory authority and the concerned supervisory authorities share all relevant information with each other and aim to reach one decision. Do the supervisory authorities differ in opinion? Then the European Data Protection Board (EDPB) may take a binding decision. The lead supervisory authority has to abide by this decision.
Independently handling a case
By way of exception, the lead supervisory authority may decide that a cross-border case in fact only has consequences in one Member State. In that case, the lead supervisory authority may give the concerned supervisory authority of this Member State permission to address the case independently outside the one-stop shop mechanism.