5.3 Supervisory Authorities, EDPB & One-Stop-Shop
Key Takeaways
- Each Member State has one or more independent supervisory authorities (DPAs) with investigative, corrective, and authorisation/advisory powers under Articles 57-58
- Under the one-stop-shop, a controller with cross-border processing has a single lead supervisory authority determined by the location of its main establishment (Article 56), defined by where central-administration or decision-making on processing occurs (Article 4(16))
- The lead authority cooperates with concerned authorities through the Article 60 cooperation procedure and may rely on local authorities for matters affecting only their territory
- The consistency mechanism (Articles 63-67) ensures uniform application; the EDPB can issue binding decisions under the Article 65 dispute-resolution procedure
- The European Data Protection Board (EDPB) replaced the Article 29 Working Party and issues guidelines, opinions, and binding decisions to harmonise GDPR application across the EU
Supervisory Authorities and Their Powers
Each Member State establishes one or more independent supervisory authorities (DPAs) to monitor GDPR application (Article 51). The exam tests their three categories of powers, defined in Articles 57-58:
| Power type | Examples (Article 58) |
|---|---|
| Investigative | Order the controller/processor to provide information; carry out audits and on-site investigations; obtain access to data and to premises including equipment |
| Corrective | Issue warnings and reprimands; order compliance with data subject requests; impose a temporary or permanent ban on processing; order rectification, erasure, or suspension of data flows; impose administrative fines |
| Authorisation and advisory | Advise controllers; approve codes of conduct, certification, binding corporate rules (BCRs), and standard contractual clauses |
Article 57 lists DPA tasks, which differ from powers: handling and investigating complaints, promoting public and controller awareness, advising national parliaments and governments, and cooperating with other authorities. Independence (Article 52) is essential — DPAs act free from external instruction, with their own staff and budget. A DPA must handle a complaint and inform the complainant of progress within three months or the complainant may seek a judicial remedy under Article 78.
The One-Stop-Shop and the Lead Authority
For cross-border processing, the one-stop-shop (OSS) mechanism gives an organisation a single primary regulator — the lead supervisory authority — instead of facing up to 27 separate DPAs. Cross-border processing exists where the organisation is established in more than one Member State, or where processing in a single establishment substantially affects (or is likely to affect) data subjects in more than one Member State (Article 4(23)).
Under Article 56, the lead authority is the DPA of the controller's or processor's main establishment. Article 4(16) defines the main establishment as:
- For a controller: the place of its central administration in the EU, unless decisions on the purposes and means of processing are taken in another EU establishment that has the power to implement them — then that establishment is the main one.
- For a processor: the place of central administration in the EU, or, where there is none, the establishment where the main processing activities occur.
The key insight: the main establishment follows where decisions about processing are actually made and implemented, not necessarily the registered headquarters. An organisation with no EU establishment cannot use the OSS at all and may face every concerned DPA directly.
Cooperation and the Consistency Mechanism
Cooperation (Article 60): The lead authority cooperates with concerned supervisory authorities (CSAs) — those whose data subjects are substantially affected, whose territory hosts an establishment, or that received the complaint. The lead authority investigates and prepares a draft decision; CSAs may raise a relevant and reasoned objection (RRO) within four weeks. If the lead authority does not follow an RRO it considers relevant and reasoned, the matter goes to dispute resolution.
Consistency mechanism (Articles 63-67): designed to ensure GDPR is applied uniformly across the EU. Two procedures matter most:
- Article 64 — opinion: the EDPB issues an opinion on matters of general application, e.g., a DPA's draft list of DPIA-required operations, draft codes of conduct, certification criteria, or BCRs.
- Article 65 — binding decision (dispute resolution): where authorities disagree on an RRO, or on which authority is competent, the EDPB adopts a binding decision by a two-thirds majority within one month of referral (extendable by a further month; a simple-majority fallback applies if still deadlocked). This Article 65 route produced several headline cross-border enforcement outcomes against major platforms.
The European Data Protection Board (EDPB)
The European Data Protection Board (EDPB) is the EU body that ensures consistent application of the GDPR. It replaced the Article 29 Working Party (WP29) when the GDPR took effect on 25 May 2018, and it has legal personality, unlike the advisory WP29 it succeeded.
Membership: the head of one supervisory authority from each Member State plus the European Data Protection Supervisor (EDPS). The European Commission participates without voting rights.
EDPB functions (Article 70) include:
- Issuing guidelines, recommendations, and best practices (e.g., on consent, transparency, legitimate interests, and international transfers)
- Advising the European Commission on data-protection matters and on the level of protection in third countries
- Issuing opinions under the consistency mechanism (Article 64)
- Adopting binding decisions under Article 65
- Maintaining a public register of decisions taken by authorities and courts
Do not confuse the EDPB (the board harmonising all national DPAs) with the EDPS (the single supervisory authority that oversees the EU institutions and bodies themselves). The EDPB also does not act as a lead authority — it resolves disputes between DPAs but does not investigate organisations directly.
Urgency Procedure and Mutual Assistance
Two further mechanisms round out the cooperation framework and occasionally appear on the exam. Under the urgency procedure (Article 66), a concerned DPA may, in exceptional circumstances where it considers there is an urgent need to protect data subjects, immediately adopt provisional measures in its own territory with a specified validity of no more than three months, bypassing the normal consistency mechanism; it may then request an urgent EDPB opinion or binding decision.
Under mutual assistance (Article 61), DPAs must respond to another authority's request for information or supervisory measures without undue delay and no later than one month; silence can lead to provisional measures and EDPB involvement. Joint operations (Article 62) let authorities from several Member States run combined investigations and even second staff to each other's territory. These tools matter for scenario questions where a complaint touches multiple states but the lead authority is slow or absent — the GDPR is built so that data subjects are never left without an authority able to act.
A company is incorporated in Ireland, but all decisions about the purposes and means of its EU-wide data processing are taken at an office in Germany that has authority to implement them. Which DPA is the lead supervisory authority?