Chapter 15: Cooperation and consistency – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 15: Cooperation and consistency – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters


Why does this topic matter to organisations?

Under the Directive, organisations are obliged to deal with a separate DPA for each Member State whose laws apply to them. This has meant that businesses faced a range of inconsistent compliance requirements across the EU, often resulting in complexity and unpredictability. The GDPR is intended to create a more uniform approach to the regulation of data processing activities across the EU.

What types of organisations are most affected?

All organisations that are subject to the laws of multiple Member States are affected by the Consistency Mechanism and related rules regarding cooperation among DPAs, as set out below.

What should organisations do to prepare?

Organisations that operate in, or are subject to the laws of, multiple Member States should:

  • ensure that they understand the role of the "lead DPA" and the concept of the "One‑Stop-Shop" (see Chapter 14); and
  • ensure that they can identify the lead DPA and are familiar with the enforcement approach generally taken by the lead DPA.


Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.


Detailed analysis


The Directive




The Consistency Mechanism

The core aim of the Consistency Mechanism is to ensure that EU data protection law is enforced uniformly across all Member States



Under the Directive, organisations operating in more than one Member State deal with the DPA in each Member State in which such an organisation operates.

materially changes

Rec.132-134; Art.63, 64(2)

DPAs across all Member States are required to co‑operate with each other and with the EDPB and the Commission, to ensure consistent application of the GDPR.


The GDPR provides for mandatory cooperation between national DPAs and provides that cases considered to have an impact in more than one Member State may be referred to the EDPB. This should help to ensure that organisations face more consistent compliance requirements across the EU.


Opinion of the EDPB

Even if the applicable national data protection laws set similar standards across all Member States, enforcement requirements, attitudes, and standards may vary from Member State to Member State. Ensuring similar enforcement standards is a core issue for EU data protection law.



The Directive does not provide for DPAs to submit their decisions to a central authority.

materially changes

Rec.136; Art.64

DPAs must submit a draft to the EDPB before taking any of the following measures:

The EDPB may examine each such measure and issue an opinion where the matter in question affects multiple Member States. The relevant DPA must take "utmost account" of the EDPB's opinion in proceeding with its decision.


DPAs are required to submit to the EDPB decisions that are likely to affect data subjects or organisations in multiple Member States. In theory, this will ensure that DPAs take decisions in a manner that is consistent with the approach that the other affected DPAs would take on the same issues, resulting in a more consistent application of the law across the EU.



Involving the EDPB as a new step in the decision-making process may result in additional delays.


Dispute resolution by the EDPB

Where DPAs disagree with one another there is a risk of inconsistent application of data protection law across the EU. Allowing a central authority to make binding decisions reduces this risk.



The Directive does not provide for a central authority to make decisions that are binding on DPAs.

materially changes

Rec.136; Art.65

Where DPAs disagree about key data protection law issues, the EDPB will issue a binding decision, which must then be adopted by the Concerned DPA(s) within one month of notification of the EDPB's decision.


Resolution of disputes by the EDPB should ensure a more consistent application of the GDPR.


Urgency procedure

One drawback of requiring DPAs to refer enforcement issues to a central authority is that this may lead to delays. In many cases, the delay might not prejudice the outcome of the proceedings, but there is a risk that, in some cases, it may do so. Therefore, there is a need to allow for more rapid decisions in cases of urgency.



The Directive does not directly address this issue.

materially changes

Rec.137; Art.66

Where a DPA considers there to be an urgent need to act to protect data subjects' rights, it may immediately adopt provisional measures for up to three months. A full explanation should be provided to other Concerned DPAs, the EDPB and the Commission. Urgent opinions may also be requested from the EDPB.


This provision allows urgent measures to be taken by DPAs in exceptional circumstances. The inclusion of the EDPB in the decisionmaking process may result in delays, but the urgency procedure reduces this risk, to a certain extent.


Exchange of information

In order to ensure that EU data protection law is applied consistently, it is important to ensure that DPAs and the EDPB are communicating clearly.



The Directive does not directly address this issue.

materially changes

Rec.116, 168; Art.47(3), 50, 60(1), 61(3), (9), 67, 70(c), (u)-(w)

The Commission may implement acts which specify arrangements for electronic exchange of information between DPAs and the EDPB. The EDPB may advise on these issues.


This provision is designed to ensure a free flow of information between Concerned DPAs and the EDPB.


Further analysis

Commentary: DPAs still have exclusive competence to regulate processing of data that only affects their own Member State

Under the GDPR, where an organisation's data processing activities only affect data subjects in a single Member State, only the DPA for that Member State has authority to enforce the GDPR against that organisation. For example, if a small business only processes the personal data of its own employees, and only has customers in its home Member State, it will generally only be regulated by its own DPA. However, a larger business that has customers all over the EU, may find itself subject to regulatory actions taken by multiple DPAs.

Organisations can minimise the difficulties that arise from dealing with multiple DPAs by ensuring that they benefit from the One‑Stop‑Shop (see Chapter 14).

Case law: Ability of DPAs to take action affecting other Member States

In October 2015, the CJEU issued its decision in the case of Weltimmo v Nemzeti (Case C-230/14). In that decision, the CJEU stated that each DPA is responsible for applying the Directive (as implemented through the national laws of Member States) in its own Member State. But where a controller in one Member State engages in processing affecting data subjects in another Member State, the DPA in the latter Member State may be able to take enforcement action against the controller (although only the DPA in the first Member State would have the power to fine the controller or issue formal sanctions against it).

The GDPR streamlines this approach by requiring DPAs to work together in cases of processing that affects multiple Member States (see Chapter 15). How this will work in practice remains to be seen.

Commentary: Oversight by the EDPB

Because the EDPB does not yet exist, and because the provisions governing the Consistency Mechanism and oversight by the EDPB are not effective yet, it is unclear how the EDPB will fulfil its role in resolving disputes between DPAs. Current practice indicates that there are likely to be many cases in which DPAs have different opinions about the correct application of EU data protection law (see, for example, the significantly divergent views of DPAs following the CJEU's decision in Schrems). Where DPAs disagree, the EDPB may be called in to adjudicate under Art.64. Given the potentially high numbers of disagreements, and the length of time it may take for DPAs and the EDPB to familiarise themselves with this mechanism, there may be delays until the EDPB's processes work smoothly.


Chapter 16: Remedies and sanctions


Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law


Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice


If you would like to request a hard copy of this Handbook, please do so here.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP