Skip to main content
Data Protection / GDPR

Lead supervisory authority

In cross-border data processing, the lead supervisory authority is the single competent authority under the one-stop-shop principle, located where the controller or processor has its main establishment.

When a company processes personal data across EU borders, the GDPR creates a single point of contact through the one-stop-shop principle: the lead supervisory authority. Under Art. 56 GDPR this is the supervisory authority of the member state in which the controller or processor has its main establishment. Cross-border processing exists where a company maintains establishments in several member states, or where the processing substantially affects data subjects in more than one member state.

The decisive factor is the place of central administration, or the establishment where the essential decisions on the purposes and means of processing are actually taken (Art. 4(16) GDPR). The lead authority coordinates the procedure with the other supervisory authorities concerned, conducts cross-border investigations and, as a rule, issues the binding decision. Where the authorities disagree, the consistency mechanism under Art. 60 et seq. GDPR applies, with binding dispute resolution by the European Data Protection Board as the final instance.

The one-stop-shop principle relieves companies because they generally only have to deal with a single supervisory authority. It does not, however, apply without exception: for purely local matters or complaints affecting only one member state, the local authority may act itself under Art. 56(2) GDPR. Public-sector bodies likewise remain subject to their respective national supervision. Companies should therefore carefully document their main establishment and be able to demonstrate where central administration and decision-making authority lie.

Legal Basis

Art. 56, Art. 4(16), Art. 60 et seq. GDPR

Practical Example

A group headquartered in Frankfurt operates sales companies in France, Spain and Poland and processes customer data centrally via a CRM platform hosted in Germany. When the data protection officer receives a complaint from Madrid, he establishes that the essential decisions on the processing are taken at the Frankfurt headquarters. The Hessian data protection authority is therefore the lead authority; it coordinates the procedure with the Spanish authority, so the group has only one point of contact.

FAQ

The decisive factor is the place of the main establishment, that is, the establishment where the essential decisions on the purposes and means of processing are actually taken. For a processor, the place of central administration within the EU is relevant. Companies should document this allocation in a verifiable way.
No. For purely local processing or complaints affecting only one member state, the local supervisory authority may decide itself under Art. 56(2) GDPR. Public-sector bodies also remain subject to their respective national supervision.
If the lead authority and the supervisory authorities concerned cannot reach agreement, the consistency mechanism under Art. 60 et seq. GDPR applies. As a final instance, the European Data Protection Board issues a binding dispute-resolution decision.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Supervisory authority European Data Protection Board Consistency mechanism Controller Third Country Transfer
Back to Glossary