The General Data Protection Regulation (GDPR) requires the Data Protection Authority (DPA) of the European Economic Area (EEA) to cooperate closely - under the umbrella of the European Data Protection Board (EDPB) - to ensure the consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. One of their tasks is to coordinate decision-making in cross-border data processing cases.
A processing is cross-border when:
- data processing takes place in more than one country;
- or it substantially affects or it is likely to substantially affect individuals in more than one country.
Under the so-called one-stop-shop mechanism Art. 60 GDPR, the Lead Supervisory Authority (LSA) acts as the main point of contact for the controller or processor for a given processing, while the Concerned Supervisory Authorities (CSAs) act as the main point of contact for individuals in the territory of their Member State. The LSA is the authority in charge of leading the cooperation process. It will share relevant information with the CSAs, carry out the investigations, prepare the draft decision relating to the case, and cooperate with the other CSAs in an endeavour to reach consensus on this draft decision.