Procedures for the cooperation of data protection supervisory authorities in Germany and Europe according to the GDPR

Data protection authorities in whose area of competence further establishments of the controller are located are referred to as "supervisory authorities concerned". In addition, this designation applies to supervisory authorities with whom data subjects have lodged complaints or to authorities whose local competence covers an area where data subjects are residing who are likely to be substantially affected by the processing. At the beginning of each cooperation procedure, the data protection supervisory authorities clarify among themselves who is the lead supervisory authority and who are the supervisory authorities concerned.

In Germany, the independent German federal and data protection authorities of the federal states ("Länder") take part in the cooperation procedure. If necessary, they will be assisted by the Single Contact Point (ZASt), for example in determining the competent German data protection supervisory authority/authorities or in clarifying national competence.

This is followed by the actual substantive case processing, for which the lead and data protection supervisory authorities concerned exchange information on an ongoing basis. Subsequently the lead data protection supervisory authority shall submit a draft decision on how it intends to close the procedure towards the controller (by discontinuing proceedings or issuing corrective measures according to Art. 58(2) GDPR).

If no consensus on the question which data protection supervisory authority is the lead supervisory authority or on the draft decision is reached at European level in the cooperation procedure, the consistency mechanism (Art. 63 et seq. GDPR) and in particular, the dispute resolution procedure (Art. 65 GDPR) must be carried out. In practice, this procedure is most commonly initiated if a data protection supervisory authority concerned objects to the draft decision of the lead data protection supervisory authority and the latter does not agree with the objection. In this case, the European Data Protection Board (EDPB), in which the European data protection supervisory authorities have one vote per Member State, and the European Data Protection Supervisor is entitled to vote, will decide.

In the EDPB, Germany is represented by the joint representative or his deputy. If a common position on a voting item is drawn up by the Federal and "Länder" data protection supervisory authorities according to Section 18 Federal Data Protection Act (BDSG), this must be the basis for the negotiations in the EDPB.

In order to determine the common position, the federal and "Länder" data protection supervisory authorities cooperate with each other with the aim of reaching a consensual positioning. If this fails, a graduated decision-making procedure (Section 18 BDSG) takes place. The German position is ultimately determined by a majority decision. This process of national decision-making is coordinated by the Single Contact Point (ZASt)

After the vote, the EDPB adopts a binding decision. If the objections are successful, the lead data protection supervisory authority is instructed to adjust the draft decision accordingly.

The procedure ends with the lead data protection supervisory authority issuing its own decision, adapted if necessary, to the controller. If the procedure was based on a complaint and the complaint was unsuccessful in whole or in part, the data protection supervisory authority with whom the complaint was lodged shall issue the decision to the complainant. This will enable the latter to have the decision reviewed in the courts of the Member State where the complaint was lodged.

In addition to clarifying individual issues in the dispute resolution procedure, the EDPB also ensures the consistent application of the GDPR in other cases relating to the consistency mechanism. This is achieved by issuing opinions, for example in matters producing effects in more than one Member State (Art. 64 GDPR) or following temporary provisional measures adopted by data protection supervisory authorities (Art. 66 GDPR).