GDPR : Article 60 - Cooperation Between the Lead Supervisory Authority and the Other Supervisory Authorities Concerned

by Nash V


In today's digital age, the protection of personal data has become a paramount concern. The General Data Protection Regulation (GDPR), introduced by the European Union (EU), has emerged as a comprehensive legal framework to safeguard individuals' personal data. Among the myriad provisions of this regulation, Article 60 GDPR holds a crucial place, delineating the mechanisms for cooperation between the lead supervisory authority and other supervisory authorities concerned.

Key Elements of Article 60 GDPR

Understanding Article 60 GDPR

Article 60 of the GDPR fundamentally addresses the imperative matter of cooperation among supervisory authorities within the EU. Its primary objective is to establish a framework for cohesive action when dealing with cases involving cross-border data processing activities.

These activities can encompass scenarios where data controllers or processors operate in multiple EU member states or situations where the rights of data subjects extend beyond geographical boundaries. In essence, Article 60 acts as a lighthouse guiding the way to harmonized, efficient data protection enforcement, ensuring that the rights of data subjects are upheld consistently, irrespective of geographic nuances.

Key Elements of Article 60 GDPR

To gain a holistic grasp of the GDPR's Article 60, it is imperative to dissect its core components:

  • Lead Supervisory Authority: Article 60 lays the foundation for the concept of a "lead supervisory authority" in cases involving cross-border data processing. This authority is designated based on the location of the data controller or processor's primary establishment within the EU. The lead supervisory authority assumes a pivotal role in orchestrating and overseeing the handling of such cases.
  • Cooperation with Other Supervisory Authorities: The crux of Article 60 revolves around the obligation of the lead supervisory authority to engage in cooperation and consultation with other supervisory authorities concerned in cases that impact data subjects across multiple member states. These concerned authorities are typically the supervisory bodies situated in the member states where the data processing activities exert influence.
  • Consistency Mechanism: Article 60 introduces an ingenious mechanism aimed at ensuring the uniform application of the GDPR across the EU. The lead supervisory authority is tasked with formulating an opinion, which is subsequently disseminated to other concerned authorities. If a consensus is not reached among these authorities, a well-structured consistency mechanism is triggered, intended to resolve disputes and foster consistent enforcement.
  • Binding Decisions: In instances where the lead supervisory authority identifies GDPR infringements, it possesses the authority to issue binding decisions that have applicability across the EU. These binding decisions are instrumental in maintaining a unified approach to data protection enforcement.

Implementation of Article 60 GDPR

The successful implementation of Article 60 GDPR hinges upon the seamless collaboration and communication among supervisory authorities scattered across the EU's tapestry. Here is an in-depth exploration of the key steps encompassed in the implementation process:

  • Identification of Lead Supervisory Authority: The commencement of the implementation process hinges on the identification of the lead supervisory authority. When a data processing activity bears cross-border implications, the data controller or processor is tasked with the responsibility of identifying its primary establishment within the EU. This establishment is the lodestar that determines the lead supervisory authority entrusted with overseeing the case.
  • Notification and Consultation: Promptly upon identification, the lead supervisory authority is obliged to notify other supervisory authorities concerned about the case at hand. This initiates a crucial phase of consultation, during which these authorities converge to deliberate and seek consensus on the most judicious course of action.
  • Consistency Mechanism: In situations where consensus remains elusive among the concerned authorities, the well-conceived consistency mechanism steps in. The European Data Protection Board (EDPB) assumes a pivotal role in facilitating this mechanism. The EDPB serves as the cornerstone of dispute resolution and the arbiter of consistent GDPR enforcement.
  • Binding Decisions: When the lead supervisory authority, after thorough investigation, concludes that GDPR violations have transpired, it wields the power to issue binding decisions. These decisions transcend national borders and have far-reaching implications, as they impose a uniform approach to enforcement across the entirety of the EU.
GDPR Implementation Toolkit

Impact of Article 60 GDPR on Data Privacy

Article 60 GDPR has wrought transformative changes upon the landscape of data privacy within the EU, imprinting its impact in various dimensions:

  • Consistency and Harmonization: At the heart of Article 60 lies its unwavering commitment to consistency and harmonization in the realm of data protection enforcement. By ensuring that the same set of rules and standards applies uniformly to data processing activities, regardless of their geographical origin within the EU, it fosters a sense of coherence and predictability in the data protection landscape.
  • Enhanced Data Subject Rights: The cooperation mechanism meticulously outlined in Article 60 serves as a robust guardian of data subject rights. This framework empowers data subjects, ensuring that their rights are not merely theoretical concepts but tangible guarantees, especially in cases involving mammoth multinational corporations that traverse multiple EU member states.
  • Efficient Enforcement: The operationalization of Article 60 streamlines the enforcement process significantly. By designating a lead supervisory authority, cases with cross-border implications can be managed with alacrity and precision, thereby diminishing delays and engendering timely responses to data breaches and other regulatory infringements.
  • Legal Certainty: One of the pivotal outcomes of Article 60 is the establishment of legal certainty. Organizations operating within the EU's ambit gain crystal-clear clarity regarding their obligations and the potential ramifications of non-compliance. This clarity, in turn, fortifies their commitment to data protection compliance.
  • Cross-Border Accountability: Article 60 is an embodiment of the EU's commitment to cross-border accountability. It resolutely holds data controllers and processors accountable for their actions, irrespective of the number of member states they operate in. This deters companies from exploiting jurisdictional variances to evade their responsibilities, reinforcing the EU's commitment to data protection.


In the multifaceted tapestry of the GDPR, Article 60 stands as a towering pillar, a testament to the EU's unwavering dedication to safeguarding the privacy and data protection rights of its citizens. Through the institution of lead supervisory authorities and the establishment of a robust cooperation framework, the GDPR has cast aside the shackles of national borders, forging a path towards a unified approach to enforcement that steadfastly upholds the rights of data subjects throughout the entirety of the EU. As we navigate the ever-evolving terrain of data privacy in an increasingly digitalized world, Article 60 remains a critical tool in the arsenal of EU data protection authorities, working tirelessly and concertedly to shield the personal data of millions of Europeans.


GDPR Implementation Toolkit