Article 60
Cooperation between the lead supervisory authority and the other supervisory authorities concerned

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 60 keyboard_arrow_down Hide the recitals of the Regulation related to article 60 keyboard_arrow_up

(133) The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority..

(134) Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.

There is no recital in the Directive related to article 60.

The GDPR

The Regulation seeks to provide solutions to the lack of coordination between the various national authorities potentially competent under the Directive via single window mechanism established by Article 56. The “lead” supervisory authority is the only authority competent to monitor the activities of the controller or the processor carried out throughout the Union and to take the relevant decisions. The competence of the “lead” supervisory authority is specified in Article 56 of the Regulation that we refer to.

Article 60 of the Regulation impose on the ‘lead’ supervisory authority the obligation to cooperate with the other supervisory authorities with a view to reach a consensus in cases of potential debate on the designation of the competent supervisory authorities, in particular, to exchange all useful information (paragraph 1). Such exchange of information must be carried out by electronic means, by using a standard form (paragraph 10).

The lead supervisory authority may request at any time from the other “supervisory authorities concerned” the provision of mutual assistance in application of Article 61. According to article 4 (22) of the Regulation, the supervisory authority may be concerned by the processing in three cases:

“a) the controller or processor is established on the territory of the Member State of that supervisory authority;

b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing;

or c) a complaint has been lodged with that supervisory authority.”

In addition, the lead authority may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State (Article 60, paragraph 2).

Let’s recall, in the comments to Article 56, we have seen that when one national authority other than the leading supervisory authority is, however, competent by application of the second paragraph of Article 56 to handle a claim lodged with it, it should inform the lead supervisory authority. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case or the authority should handle it at local level.

In the case where the lead supervisory authority decides to handle the case, paragraph 3 of Article 60 shall apply. This provision requires the lead supervisory authority to communicate “without delay” the useful information on the matter to the other supervisory authorities concerned. The supervisory authority shall also submit without delay a draft for a decision to the other supervisory authorities concerned in order to obtain their opinion and take due account of their views.

The other supervisory authorities have the ability to raise objections to the draft decision within a period of four weeks (paragraph 4). In the absence of response within the time limits set by the provision, the other supervisory authorities shall be deemed to have approved the draft for a decision and shall be bound by it (paragraph 6).

The lead supervisory authority shall, if it does not follow the “relevant and reasoned” objection provided by any other supervisory authority, submit the matter to the consistency mechanism referred to in Article 63 (4). The relevant and reasoned objection is defined in Article 4 (24) of the Regulation as “an objection as to whether there is an infringement of this Regulation, or, as the case may be, whether envisaged action in relation to the controller or processor complies with this Regulation. The objection shall clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.

In this case, the European Data Protection Board must make a binding decision on all aspects of the said objection and must in particular consider whether there is a violation of the Regulation (see Article 65 (1) (a)).

Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. They will have a period of two weeks to provide their opinion. In this case, the procedure provided for in paragraph 3 shall apply (Art. 60, (5)).

At the end of this procedure, the lead supervisory authority shall adopt the decision and communicate it to the main establishment of the controller or the processor and shall inform the other supervisory authorities concerned, as well as the European Data Protection Board, making sure to include a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant of the decision (paragraph 7).

Where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof (paragraph 8).

In the case of a mixed decision, i.e., where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. In this case, the allocation of competences shall be as follows:

- the lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, and

- the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof (paragraph 9).

The controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union (paragraph 10).  The controller or processor shall notify the lead supervisory authority of the measures taken for complying with the decision,  thenshall also inform the other supervisory authorities concerned.

Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply (Article 60 (11)). This provision authorises the relevant supervisory authority to adopt without delay temporary measures with a limited legal scope within the territory of its Member State.

The Directive

The Directive only provides that the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information. However, no provision of the Directive regulates the modes of cooperation between the national supervisory authorities.

The absence of obligation for coordination to the national supervisory authorities in the Directive has led to many problems for companies that operate on a transnational level facing the application of different national legislations.

Potential issues

The implemented procedure seems highly complex and will lead to considerable work for the authorities concerned, who may often have to deal with the same case. Concomitant action by two separate authorities according to the nature of the decision (rejection or admission) is more likely to cause confusion for the complainant and concerned controllers/subcontractors who may no longer know who their interlocutor is.

Group 29

Guidelines for identifying a controller or processor’s lead supervisory authority

(Approved by EDPB)

Link

European data protection board (EDPB)

Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679 (9 March 2021)

Within the cooperation mechanism set out by the GDPR, the supervisory authorities (“SAs”) have a duty to “exchange all relevant information with each other” and cooperate “in an endeavour to reach consensus”.2 This duty of cooperation applies to every stage of the procedure, starting with the inception of the case and extending to the whole decision-making process. The achievement of an agreement on the outcome of the case is therefore the ultimate goal of the whole procedure established by Article 60 GDPR. In the situations in which no consensus is reached among the SAs, Article 65 GDPR entrusts the EDPB with the power to adopt binding decisions. However, the exchange of information and the consultation among the Lead Supervisory Authority (“LSA”) and the Concerned Supervisory Authorities (“CSAs”) often enables an agreement to be reached at the early stages of the case.

According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs, which then may raise a relevant and reasoned objection within a specific timeframe (four weeks).3 Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks.

When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a) GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “relevant and reasoned” and if so, on all the matters which are the subject of the objection.

Therefore, one of the key elements signifying the absence of consensus between the LSA and the CSAs, is the concept of “relevant and reasoned objection”. This document seeks to provide guidance with respect to this concept and aims at establishing a common understanding of the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4(24) GDPR).

Article 4(24) GDPR defines “relevant and reasoned objection” as an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.

This concept serves as a threshold in situations where CSAs aim to object to a (revised) draft decision to be adopted by the LSA under Article 60 GDPR. As the unfamiliarity surrounding “what constitutes relevant and reasoned objection” has the potential to create misunderstandings and inconsistent applications by the supervisory authorities, the EU legislator suggested that the EDPB should issue guidelines on this concept (end of Recital 124 GDPR).

In order to meet the threshold set by Article 4(24) GDPR, a submission by a CSA should in principle explicitly mention each element of the definition in relation to each specific objection. Therefore, the objection aims, first of all, at pointing out how and why, according to the CSA, the draft decision does not appropriately address the situation of infringement of the GDPR, and/or does not envision appropriate action towards the controller or processor in the light of the demonstration of the risks that such draft decision, if left unchanged, would entail for the rights and freedoms of data subjects and for the free flow of personal data in the Union, where applicable. An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indications, and showing why such issues are to be deemed “relevant” as further explained below. The proposals for amendments put forward by the objection should aim to remedy these potential errors.

Indeed, the degree of detail of the objection and the depth of the analysis included therein may be affected by the degree of detail in the content of the draft decision and by the degree of involvement of the CSA in the process leading to the draft decision issued by the LSA. Therefore, the standard of “relevant and reasoned objection” is grounded on the assumption that the LSA’s obligation to exchange all relevant information is complied with, allowing the CSA(s) to have an in-depth understanding of the case and therefore to submit a solid and well-reasoned objection. To this end, the need for each legally binding measure of SAs to “give the reasons for the measure” (see Recital 129 GDPR) should also be kept in mind. The degree of involvement of the CSA by the LSA in the process leading to the draft decision, if it leads to an insufficient knowledge of all the aspects of the case, can therefore be considered as an element to determine the degree of detail of the relevant and reasoned objection in a more flexible way.

The EDPB would first like to emphasise that the focus of all SAs involved (LSA and CSAs) should be on eliminating any deficiencies in the consensus-finding process in such a way that a consensual draft decision is the result. Whilst acknowledging that raising an objection is not the most preferable tool to remedy an insufficient degree of cooperation in the preceding stages of the one-stop-shop proceeding, the EDPB nevertheless acknowledges that it is an option open to CSAs. This would be a last resort to also remedy (alleged) deficiencies in terms of CSAs’ involvement by the LSA in the process that should have led to a consensus-based draft decision, including as regards the legal reasoning and the scope of the investigations carried out by the LSA in respect of the case at hand.

The GDPR requires the CSA to justify its position on the LSA’s draft decision by submitting an objection that is “relevant” and “reasoned”. It is crucial to bear in mind that the two requirements, “reasoned” and “relevant”, are to be deemed cumulative, i.e. both of them have to be met. Consequently, Article 60(4) requires the LSA to submit the matter to the EDPB consistency mechanism when it is of the opinion that the objection does not meet at least one of the two elements.

The EDPB strongly advises the SAs to raise their objections and exchange information through the information and communication system set up for the exchange of information among SAs. They should be clearly marked as such by using the specific dedicated functions and tools.

Link

CJEU caselaw

C-230/14 (1 october 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 60

1.   The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2.   The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3.   The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4.   Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5.   Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6.   Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7.   The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8.   By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9.   Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.

10.   After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11.   Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

12.   The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.

1st proposal close

No specific provision

2nd proposal close

Art. 54a

1. The lead supervisory authority (…) shall cooperate with the other concerned supervisory authorities in accordance with this article in an endeavour to reach consensus (…). The lead supervisory authority and the concerned supervisory authorities shall exchange all relevant information with each other.

1a. The lead supervisory authority may request at any time other concerned supervisory authorities to provide mutual assistance pursuant to Article 55 and may conduct joint operations pursuant to Article 56, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

2. The lead supervisory authority shall, without delay communicate the relevant information on the matter to the other concerned supervisory authorities. It shall without delay submit a draft decision to the other concerned supervisory authorities for their opinion and take due account of their views.

3. Where any of the other concerned supervisory authorities within a period of four weeks after having been consulted in accordance with paragraph 2, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the objection or is of the opinion it is not relevant and reasoned, submit the matter to the consistency mechanism referred to in Article 57. (…)

3a. Where the lead supervisory authority intends to follow the objection made, it shall submit to the other concerned supervisory authorities a revised draft decision for their opinion. This revised draft decision shall be subject to the procedure referred to in paragraph 3 within a period of two weeks.

4. Where none of the other concerned supervisory authority has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 3 and 3a, the lead supervisory authority and the concerned supervisory authorities shall be deemed to be in agreement with this draft decision and shall be bound by it.

4a. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other concerned supervisory authorities and the European Data Protection Board of the decision in question including a summary of the relevant facts and grounds. The supervisory authority to which a complaint has been lodged shall inform the complainant on the decision.

4b. By derogation from paragraph 4a, where a complaint is dismissed or rejected, the supervisory authority to which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

4bb. Where the lead supervisory authority and the concerned supervisory authorities are in agreement to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter.The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller and notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint and notify it on that complainant and shall inform the controller or processor thereof.

4c. After being notified of the decision of the lead supervisory authority pursuant to paragraph 4a and 4bb, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards the processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other concerned supervisory authorities.

4d. Where, in exceptional circumstances, a concerned supervisory authority has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 61 shall apply.

5. The lead supervisory authority and the other concerned supervisory authorities shall supply the information required under this Article (…) to each other by electronic means, using a standardised format.

Directive close

Art. 28

(...)

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

(...). 

65. § *  (1) Harmadik országok hatóságaival és nemzetközi szervezetekkel a Hatóság - különösen az általános adatvédelmi rendelet 50. cikkében és a 2016/680 (EU) irányelv 40. cikkében meghatározottak szerint, az ott előírt módon - együttműködik.

(2) Az (1) bekezdésben foglalt együttműködés keretében a Hatóság jogsegély érdekében harmadik ország hatóságához vagy nemzetközi szervezethez fordulhat, és - a 67. §-ban foglalt kivétellel - teljesíti a harmadik ország hatóságától vagy nemzetközi szervezettől érkező jogsegélykérelmet, ha a harmadik ország vagy nemzetközi szervezet és Magyarország közötti közigazgatási jogsegélyegyezmény, más nemzetközi szerződés, jogszabály vagy az Európai Unió jogi aktusa ezt lehetővé teszi.

66. § *  A Hatóság megtagadja a harmadik ország hatóságától vagy nemzetközi szervezettől érkező jogsegélykérelem teljesítését és a megtagadás indokairól tájékoztatja a harmadik ország hatóságát, illetve a nemzetközi szervezetet, ha a jogsegélykérelem teljesítése

a) nem tartozik a feladat- és hatáskörébe,

b) sértené Magyarország nemzetbiztonsági érdekeit vagy a közbiztonságot,

c) sértené az ügyben érintett személy alapvető jogát, vagy

d) jogszabályba ütközne.

67. § *  (1) EGT-állam felügyeleti hatóságaival a Hatóság az Európai Unió kötelező jogi aktusában meghatározott módokon, így különösen az általános adatvédelmi rendelet 61. cikkében és a 2016/680 (EU) irányelv 50. cikkében meghatározott kölcsönös segítségnyújtás keretei között, az ott előírt módon együttműködik.

(2) Az általános adatvédelmi rendelet 62. cikkében meghatározott módon, az EGT-állam felügyeleti hatóságával közösen végzett műveletek során

a) a Hatóság személyi állományába tartozó, a Hatóság elnöke által a közös műveletben való közreműködésre kijelölt köztisztviselő a más EGT-állam területén, a más EGT-állam felügyeleti hatósága által átruházott feladat- és hatáskörök,

b) a más EGT-állam felügyeleti hatósága feladat- és hatáskörében eljáró és e felügyeleti hatóság által kijelölt személy Magyarország területén a Hatóság elnöke által írásban meghatározott terjedelemben a Hatóság feladat- és hatáskörének

gyakorlásában közreműködik.

(3) A (2) bekezdés b) pontjában meghatározott személy eljárására a magyar jog az irányadó.

68. § *  Ha a harmadik ország vagy más EGT-állam hatóságától, illetve nemzetközi szervezettől érkező - a Hatóság folyamatban lévő eljárásához közvetlenül nem kapcsolódó - megkeresés teljesítéséhez adatok, iratok beszerzése, vagy más eljárási cselekmény lefolytatása szükséges, a Hatóság e célból hatósági ellenőrzést végez. Ilyen esetben az ellenőrzés a Hatóságnak a beszerzett bizonyítékok átadásáról szóló végzésével zárul.

Old law close

Legal status of the Authority

§ 38 Data Protection Act

[...]

(4) Within its scope of responsibilities conferred under Subsection (2), the Authority:

[...]

e) shall collaborate with the bodies and persons defined in specific other legislation to represent Hungary in the common supervisory bodies of the European Union for data protection;

[...]

close