image

EU GDPR – Article 60 (Cooperation Between Supervisory Authorities)

Posted on February 27, 2026 by Sarah Aamir
Share
RSS
Follow by Email
Facebook
X (Twitter)
Pinterest
LinkedIn
WhatsApp
Abstract

General Data Protection Regulation (GDPR) Article 60 defines how supervisory authorities across EU Member States work together when handling cross-border data protection matters. When an organization operates in more than one Member State, one authority acts as the lead supervisory authority (LSA). Article 60 requires this authority to cooperate closely with other concerned supervisory authorities to ensure consistent decision-making, proper information exchange, and coordinated enforcement.

The purpose of this cooperation is to avoid conflicting outcomes, protect individuals’ rights across borders, and maintain uniform application of GDPR rules. Article 60 forms a core part of the GDPR’s “one-stop-shop” mechanism, helping organizations deal with a single primary authority while still ensuring that other affected authorities are actively involved.

Explanation

Article 60 applies mainly to cross-border processing activities. Cross-border processing occurs when a company operates in multiple EU Member States or when processing significantly affects individuals in more than one country.

In such cases, the supervisory authority of the company’s main establishment becomes the lead supervisory authority. However, this does not mean other authorities are excluded. Instead, Article 60 establishes a structured cooperation system between the lead authority and all other concerned supervisory authorities.

The lead supervisory authority must:

  1. Share relevant information without delay.
  2. Seek mutual assistance where required.
  3. Draft decisions and submit them to other concerned authorities for review.
  4. Consider objections raised by other authorities.

Other supervisory authorities can review the draft decision and raise “relevant and reasoned objections.” If no objections are raised within the defined period, the decision becomes binding. If objections arise and cannot be resolved, the matter may be escalated to the European Data Protection Board under Article 65 for dispute resolution.

This framework ensures transparency, fairness, and consistent enforcement across the EU. It prevents companies from facing different decisions in different countries for the same issue, while also guaranteeing that the interests of affected Member States are properly represented.

Key Points
  1. Article 60 governs cooperation in cross-border data protection cases.
  2. A lead supervisory authority (LSA) is identified based on the main establishment of the controller or processor.
  3. Other supervisory authorities are considered “concerned supervisory authorities.”
  4. The LSA must share information and draft decisions with concerned authorities.
  5. Concerned authorities can raise relevant and reasoned objections.
  6. If consensus is reached, the LSA adopts the final decision.
  7. If disagreement persists, the case may be referred to the European Data Protection Board.
  8. The goal is consistency and coordinated enforcement across the EU.
General Activation Steps
  1. Identify Cross-Border Processing: Determine whether the processing activity affects individuals in more than one EU Member State.
  2. Identify the Lead Supervisory Authority: Establish the organization’s main establishment within the EU. The supervisory authority in that country becomes the LSA.
  3. Notify Concerned Supervisory Authorities: The LSA informs other relevant authorities and begins cooperation.
  4. Conduct Investigation: The LSA may request information, carry out inspections, or seek mutual assistance from other authorities.
  5. Draft Decision: The LSA prepares a draft decision and submits it to the concerned authorities.
  6. Review and Objections – Concerned authorities review the draft and may raise objections within the legal timeframe.
  7. Final Decision or Escalation: If no objections arise, the LSA adopts the final decision. If objections cannot be resolved, the matter is referred to the European Data Protection Board for binding resolution.

Use Cases

  1. Cross-Border Tech Company Investigation: A multinational technology company processes user data across several EU countries. A complaint is filed in one Member State. The supervisory authority of the company’s main EU headquarters acts as the LSA. Other Member States where users are affected become concerned authorities. Through Article 60, they coordinate investigation steps and agree on a unified enforcement outcome.
  2. Data Breach Affecting Multiple Countries: An e-commerce platform suffers a data breach impacting customers in Germany, France, and Spain. Instead of three separate enforcement decisions, Article 60 ensures one coordinated decision through the LSA, reducing duplication and ensuring consistent penalties.
  3. Employee Data Processing in Multi-State Operations: A corporation with offices in five EU countries introduces a centralized HR monitoring system. Employees in several countries raise complaints. Article 60 ensures that all relevant supervisory authorities participate in the review process while one authority leads coordination.
  4. Large-Scale Marketing Practices: A digital marketing firm conducts behavioral profiling affecting individuals in multiple Member States. A supervisory authority launches an investigation. Cooperation under Article 60 ensures that advertising and profiling standards are applied uniformly across borders.
Dependencies

Article 60 does not operate in isolation. It depends on several related GDPR provisions:

  1. Article 56 (Competence of the Lead Supervisory Authority): Defines when an authority qualifies as the LSA.
  2. Article 4(23) (Definition of Concerned Supervisory Authority): Clarifies which authorities are involved in cooperation.
  3. Article 61 (Mutual Assistance): Supports information exchange between authorities.
  4. Article 62 (Joint Operations): Allows authorities to conduct joint investigations where needed.
  5. Article 65 (Dispute Resolution by the European Data Protection Board): Provides a mechanism for resolving disagreements between authorities.

Together, these provisions create a structured cooperation system that ensures both efficiency and accountability in cross-border enforcement.

Tools and Technologies
  1. Internal Case Management Systems: Supervisory authorities use secure case management platforms to document investigations, share draft decisions, and manage communication timelines.
  2. Secure Communication Channels: Encrypted systems allow authorities to exchange sensitive documents and investigation materials safely.
  3. IMI System (Internal Market Information System): The EU uses digital platforms to facilitate cooperation and structured communication between Member States’ authorities.
  4. Data Mapping and Compliance Tools: Organizations subject to investigation often rely on compliance management software to document processing activities and respond quickly to information requests.
  5. Incident Response Platforms: In breach scenarios, automated reporting and monitoring tools help companies gather required details for supervisory authorities in multiple jurisdictions.
  6. Legal and Documentation Management Software: Structured documentation systems help organizations provide consistent responses across Member States when authorities request information.

These technological systems support faster coordination and reduce administrative friction between supervisory authorities.

Let’s Wrap

Article 60 of the GDPR plays a central role in managing cross-border data protection enforcement. It ensures that when organizations operate across multiple EU Member States, supervisory authorities cooperate rather than act independently.

Through structured information sharing, draft decision reviews, and objection mechanisms, Article 60 promotes consistent regulatory outcomes. It balances efficiency for businesses with strong protection for individuals’ rights.

The lead supervisory authority coordinates the process, but concerned authorities remain fully engaged. When disagreements arise, escalation to the European Data Protection Board ensures a final, binding resolution.

In practice, Article 60 strengthens trust in the GDPR system. It prevents fragmented enforcement, supports harmonized decisions, and reinforces the principle that data protection rights apply equally across the European Union.

For further reading:

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + 6 =

Recent Posts

Archives

Categories