Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned

Article 60 requires effective cooperation and information exchange between the lead supervisory authority (LSA) and other concerned supervisory authorities for cross-border GDPR matters, with the goal of reaching consensus. To operationalize it, you need a repeatable regulator-engagement procedure: identify your LSA, triage cross-border cases, package “all relevant information,” and maintain an auditable record of submissions and decisions. (Regulation (EU) 2016/679, Article 60)

Key takeaways:

• Stand up a single “Article 60 case file” workflow for cross-border matters, with clear owners and decision rights.
• Pre-build evidence packets so you can exchange “all relevant information” quickly and consistently. (Regulation (EU) 2016/679, Article 60)
• Track regulator communications, drafts, objections, and final outcomes as formal records, not email fragments.

Article 60 is a regulator-to-regulator cooperation mechanism, but it creates real operational expectations for organizations involved in cross-border processing. If you are a controller or processor with establishments in multiple EU/EEA Member States, or you materially affect data subjects in multiple Member States, your “home” supervisory authority may act as the lead supervisory authority (LSA) and coordinate with other “concerned” authorities. Your job is to be ready when the LSA requests information, to respond with complete and consistent records, and to avoid chaos caused by conflicting messages across jurisdictions.

Practically, Article 60 readiness looks like disciplined case management: one intake path, one canonical set of facts, one evidence packet, and one narrative that matches your records of processing, contracts, technical controls, and incident timelines. The failure mode is also predictable: teams treat regulator inquiries as ad hoc legal firefighting, discover too late that different countries received different answers, and cannot produce a clean audit trail showing what was shared and why.

This page converts Article 60’s core requirement into an execution model a CCO, DPO, or GRC lead can put in place fast, then run repeatedly. (Regulation (EU) 2016/679, Article 60)

Regulatory text

Excerpt (provided): “The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.” (Regulation (EU) 2016/679, Article 60)

Operator interpretation (what you must be ready to do):

• Expect coordinated regulatory handling for cross-border matters, where your LSA may request information that will be shared with other concerned authorities. (Regulation (EU) 2016/679, Article 60)
• Provide “all relevant information” in a form that is complete, consistent, and timely enough to support consensus building between authorities. (Regulation (EU) 2016/679, Article 60)
• Maintain an auditable record of what you provided, when, by whom, under what review/approval, and how it maps to the underlying systems and processing activities.

Article 60 speaks to supervisory authorities, but you operationalize it by building a regulator-response capability that assumes multi-authority scrutiny and information sharing.

Plain-English requirement (requirement-level)

If you have a cross-border GDPR matter (complaint, investigation, breach, or major compliance review), supervisory authorities will coordinate. Your organization must be able to:

1. identify the correct lead authority context for the matter,
2. assemble and share a complete set of relevant facts and evidence through the LSA channel, and
3. keep your story consistent across stakeholders, time, and jurisdictions.

Who it applies to

In-scope entities

• Controllers and processors subject to GDPR that participate in cross-border processing or cross-border regulatory matters. (Regulation (EU) 2016/679)

In-scope operational contexts (common triggers)

• Data subject complaints affecting individuals in more than one Member State.
• Cross-border security incidents or breach notifications where impact spans multiple Member States.
• Large processing changes (new product, new data categories, new third parties) that draw regulator attention across jurisdictions.
• Investigations where you have multiple establishments and the “main establishment” and decision-making locus matters to identifying the LSA.

What you actually need to do (step-by-step)

1) Establish your Article 60 “role-and-scope register”

Create a lightweight register that answers, for each major processing domain:

• Controller vs. processor role (and joint controller where applicable).
• Establishments involved (legal entities, countries).
• Systems in scope (authoritative sources of truth).
• Data categories and data subject geographies.
• Primary internal owners (product, security, legal, privacy).

Why this matters: Article 60 coordination depends on clean facts. If you cannot confidently state “who decides” and “where decisions are made,” your LSA handling can stall or become inconsistent.

Daydream fit: Use Daydream to keep this register tied to your system inventory and third-party list so the “relevant information” packet is assemble-ready instead of rebuilt each time.

2) Define a regulator engagement SOP specific to cross-border matters

Write a short operating procedure that is invoked on specific triggers:

• Regulatory inquiry referencing cross-border impacts
• Any investigation/complaint involving multiple Member States
• Any incident likely to require notifications in multiple jurisdictions

Your SOP should name:

• Case Owner: usually DPO/Privacy Lead or Regulatory Counsel.
• Evidence Owner: GRC/IRM lead who coordinates artifacts.
• Technical Fact Owner: security or engineering incident lead.
• Final Approver: CCO/GC (choose one accountable executive).

Include clear “single-voice” rules:

• No local teams respond directly to any authority without routing through the case owner (unless legally required in a specific scenario, then document the exception).
• One canonical timeline and one canonical fact set stored in a controlled repository.

3) Build an “all relevant information” evidence packet template

Article 60 requires exchange of “all relevant information” between authorities. Your operational answer is a standardized packet you can tailor per case. (Regulation (EU) 2016/679, Article 60)

Include these sections:

• Matter summary: what happened / what is being assessed, scope, affected products.
• Processing map: purposes, lawful bases (if controller), or instructions and DPAs (if processor).
• System and data inventory extracts: where the data is stored/processed; key logs available.
• Third parties: sub-processors/third parties involved, contracts, data flows.
• Controls evidence: security and privacy controls relevant to the allegation (access control, retention, deletion, DSAR handling, etc.).
• Timeline: events, detection, containment, communications.
• Decisions and rationale: what you decided, who approved, and why.
• Corrective actions: status, owners, target completion dates (your targets, not regulatory claims).

Make the template strict about versioning and attachments. Auditors and regulators look for a tight chain between your narrative and the underlying records.

4) Implement case management and recordkeeping

Run every cross-border matter as a managed case:

• Unique case ID
• Communication log (inbound/outbound)
• Submission versions and dates
• Review/approval record
• Artifact index (what was shared)

Do not allow critical facts to live only in email threads. Store final messages and attachments in a controlled repository with access logging.

5) Run “consistency checks” before submissions

Before any response goes out via the LSA:

• Verify names of legal entities, controllers/processors, and establishments.
• Reconcile dates/times across teams (incident response, privacy, customer support).
• Confirm that contracts and DPAs match the described roles and data flows.
• Confirm that your RoPA, system inventory, and any security incident report tell the same story.

A practical approach: require a short pre-submit checklist sign-off by Privacy + Security + Legal.

6) Train the teams that will be pulled into Article 60 matters

Focus training on:

• What “cross-border” means operationally (multiple Member States, multiple establishments, multi-authority scrutiny).
• Single-voice rule and escalation paths.
• Evidence handling: drafts vs. final, no speculative language, link every claim to a record.

Required evidence and artifacts to retain

Maintain an “Article 60 evidence packet” per matter:

• LSA identification notes and rationale (how you determined lead vs. concerned authorities in context).
• All regulator correspondence and meeting notes (date, attendees, topics).
• The exact information you provided (final versions) and a version history.
• Artifact index mapping each assertion to evidence (logs, screenshots, policies, contracts).
• Internal approvals (who reviewed, who authorized submission).
• Exception log (any direct local authority communications and why).
• Remediation plan and progress evidence (tickets, change records, revised procedures).

If you use Daydream, structure a workspace per matter with a fixed artifact schema so you can reproduce the same defensible output every time.

Common exam/audit questions and hangups

Expect questions like:

• “Who is your lead supervisory authority for this processing area, and how did you determine it?”
• “Show the complete set of information you provided to the authority and the supporting evidence.”
• “How do you ensure statements to regulators are consistent across countries and teams?”
• “Where is the official timeline maintained, and who is accountable for it?”
• “Show how you identify relevant systems and third parties for a cross-border matter.”

Hangups examiners frequently find:

• Conflicting controller/processor statements across contracts, privacy notices, and internal docs.
• Missing system-of-record for incident timelines.
• Inability to produce the “final sent” version of a response with attachments intact.
• Local teams freelancing responses.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 60 as “regulator-only.”
   Fix: Build the case workflow anyway. The operational burden falls on you to supply “relevant information” that holds up across authorities. (Regulation (EU) 2016/679, Article 60)

2. No canonical repository for regulator interactions.
   Fix: One controlled folder or GRC case record per matter; prohibit key facts living only in chat/email.

3. Unclear role decisions (controller vs. processor).
   Fix: Keep a role-and-scope register and require review when products or third parties change.

4. Evidence packet assembled from scratch each time.
   Fix: Maintain a template and a current system inventory, third-party inventory, and processing map that can be pulled quickly.

5. Inconsistent timelines.
   Fix: One “gold timeline” document with change control, referenced by all functions.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific cases.

Operational risk still concentrates in three areas:

• Regulatory credibility risk: inconsistent or incomplete information can expand the scope and duration of investigations.
• Multi-jurisdiction coordination risk: cross-border matters naturally create internal fragmentation; Article 60 coordination amplifies the impact of inconsistent answers. (Regulation (EU) 2016/679, Article 60)
• Auditability risk: inability to show what you shared and why weakens defensibility during supervisory follow-ups and customer due diligence.

Practical execution plan (30/60/90-day)

First 30 days (stand up the minimum viable capability)

• Assign owners (Case Owner, Evidence Owner, Technical Fact Owner, Approver) and publish the escalation path.
• Draft the cross-border regulator engagement SOP with single-voice rules.
• Create the Article 60 evidence packet template and pre-submit checklist.
• Start the role-and-scope register for top processing areas and top third parties.

Days 31–60 (make it repeatable)

• Pilot the workflow with a tabletop exercise: simulate a cross-border complaint or incident and produce a full evidence packet.
• Connect your system inventory and third-party inventory to the packet template (exportable lists, authoritative owners).
• Define record retention and access controls for regulator case files (who can view, who can edit).

Days 61–90 (operate and harden)

• Train privacy, security, support, and regional teams on the SOP and escalation rules.
• Add quality controls: mandatory reconciliation of timelines and role statements before submission.
• Run a second tabletop with a different scenario (third-party processor involvement, multi-establishment facts).
• Implement continuous improvement: after each real matter, update templates, checklists, and register fields based on what regulators asked for.

Frequently Asked Questions

Does Article 60 impose direct duties on my company or only on supervisory authorities?

The legal duty to “cooperate” is stated for supervisory authorities, but you still need operational readiness to provide complete and consistent information through the LSA for cross-border matters. The practical requirement is an auditable regulator-response process aligned to coordinated oversight. (Regulation (EU) 2016/679, Article 60)

How do I know whether a matter is “cross-border” and likely to invoke Article 60 coordination?

Treat it as cross-border when multiple Member States are implicated by the processing, impact, establishments, or affected data subjects. Your SOP should include a triage step that flags multi-country impact and routes the matter to a single case owner.

What does “all relevant information” mean in practice?

Provide a complete fact set that substantiates your narrative: processing description, systems, data categories, third parties, timelines, and control evidence. Build a standard evidence packet so you can respond consistently and show traceability from claims to records. (Regulation (EU) 2016/679, Article 60)

Can local country teams respond directly to their supervisory authority?

Create a default rule that responses route through the case owner to prevent inconsistent statements across jurisdictions. If a local response is legally required or time-critical, document the exception, preserve the exact message, and reconcile it into the canonical case file.

We’re primarily a processor. Does Article 60 still matter?

Yes. Processors can still be involved in cross-border matters through client incidents, investigations, or complaints where your services affect data subjects in multiple Member States. Keep your processor evidence ready: DPAs, instructions, sub-processor list, technical and organizational measures, and incident timelines.

What should I show in an audit to prove we can support Article 60 cooperation?

Show the SOP, the role-and-scope register, a completed evidence packet from a tabletop or prior matter, your communication log, and proof of approvals/version control. Auditors want repeatability and record integrity more than polished policy language.