Cooperation and Consistency Mechanisms under the GDPR: A Comprehensive Guide for CIPP/E Exam Preparation
Introduction
The General Data Protection Regulation (GDPR) was designed not only to harmonize data protection law across the European Economic Area (EEA), but also to ensure that this harmonization is applied consistently in practice. One of the most critical structural innovations of the GDPR is the establishment of Cooperation and Consistency Mechanisms, found primarily in Chapter VII (Articles 60–76) of the Regulation. These mechanisms are essential for ensuring that supervisory authorities (SAs) across different Member States work together effectively and that the GDPR is interpreted and enforced uniformly. For anyone preparing for the CIPP/E certification exam, a thorough understanding of these mechanisms is indispensable.
Why Are Cooperation and Consistency Mechanisms Important?
Before the GDPR, the Data Protection Directive (95/46/EC) led to a fragmented regulatory landscape. Each Member State implemented the Directive differently, and supervisory authorities operated largely in isolation. This created inconsistencies in enforcement, regulatory arbitrage (where companies established themselves in jurisdictions with weaker enforcement), and confusion for both data subjects and organizations operating across borders.
The GDPR addresses these problems through two interrelated sets of mechanisms:
1. Cooperation mechanisms — ensuring supervisory authorities collaborate on cross-border cases.
2. Consistency mechanisms — ensuring uniform application of the GDPR across the EEA through the European Data Protection Board (EDPB).
Together, these mechanisms serve several vital purposes:
• Uniform enforcement: They prevent divergent interpretations of the GDPR in different Member States.
• Legal certainty: Organizations operating across borders can rely on a more predictable regulatory environment.
• Protection of data subjects: Individuals benefit from consistent protections regardless of where their data is processed or where the controller/processor is established.
• Efficient dispute resolution: They provide structured processes for resolving disagreements between supervisory authorities.
• One-stop-shop principle: They support the practical operation of the one-stop-shop mechanism by defining how the lead supervisory authority and concerned supervisory authorities interact.
What Are Cooperation Mechanisms?
Cooperation mechanisms are set out primarily in Articles 60–62 of the GDPR. They govern how supervisory authorities must work together, particularly in cross-border processing cases.
1. The One-Stop-Shop Mechanism and the Lead Supervisory Authority (Article 56)
While technically covered in Chapter VI, the one-stop-shop mechanism is the foundation upon which cooperation mechanisms operate. Under this principle:
• A controller or processor with establishments in multiple Member States deals primarily with one lead supervisory authority (LSA) — typically the SA of the Member State where the organization has its main establishment.
• The main establishment is generally the place of the organization's central administration in the EU, or the establishment where decisions about the purposes and means of processing are made.
• Other supervisory authorities that are affected by the processing (because data subjects in their territories are substantially affected) are known as concerned supervisory authorities (CSAs).
2. Cooperation Between Lead and Concerned Supervisory Authorities (Article 60)
Article 60 is one of the most important provisions for exam purposes. It sets out the procedure by which the LSA and CSAs cooperate:
• The LSA must cooperate with CSAs in an effort to reach consensus on cross-border cases.
• The LSA prepares a draft decision and shares it with all CSAs.
• CSAs have four weeks to express a relevant and reasoned objection to the draft decision. If no objection is raised, the LSA and CSAs are deemed to agree, and the LSA adopts the decision.
• If a relevant and reasoned objection is raised and the LSA does not follow it, the matter is referred to the consistency mechanism (specifically, to the EDPB for a binding decision under Article 65).
• The LSA must endeavour to reach consensus with CSAs before finalizing any decision.
Key term: A "relevant and reasoned objection" is defined in Article 4(24) as an objection to a draft decision that clearly identifies the risks posed by the draft decision regarding the fundamental rights and freedoms of data subjects, and where applicable, the free flow of personal data within the EU.
3. Mutual Assistance (Article 61)
Supervisory authorities are required to provide mutual assistance to each other. This includes:
• Sharing relevant information with other SAs.
• Taking measures to cooperate effectively, including investigative measures.
• Responding to requests from other SAs without undue delay and no later than one month after receiving the request.
• An SA may not refuse to comply with a request unless it is not competent for the subject matter, or compliance would infringe the GDPR or EU/Member State law.
• If an SA does not respond within one month, the requesting SA may adopt a provisional measure on its own territory and refer the matter to the EDPB under the urgency procedure (Article 66).
4. Joint Operations (Article 62)
Supervisory authorities may conduct joint operations, including joint investigations and joint enforcement measures. Key points include:
• Where processing affects data subjects in multiple Member States, the competent SA may invite other SAs to participate in joint operations.
• The host SA (the SA of the Member State where the operation takes place) may grant investigatory powers to members or staff of the guest SAs, in accordance with the host Member State's law.
• If a guest SA's member is operating on the territory of a host SA, the host SA's law applies regarding liability.
What Are Consistency Mechanisms?
Consistency mechanisms are set out in Articles 63–67 of the GDPR and involve the European Data Protection Board (EDPB) as the central institution ensuring uniform application of the GDPR.
1. The Consistency Mechanism (Article 63)
Article 63 establishes the general principle: the consistency mechanism exists to ensure the consistent application of the GDPR throughout the EU. The EDPB plays the central role in this mechanism.
2. Opinion of the EDPB (Article 64)
The EDPB issues opinions in certain situations to ensure consistency. Article 64 requires that any competent SA must submit its draft decision to the EDPB when:
• It aims to adopt a list of processing operations subject to a Data Protection Impact Assessment (DPIA) under Article 35(4).
• It relates to a matter concerning whether a code of conduct or an amendment/extension of a code of conduct complies with the GDPR (Article 40).
• It aims to approve criteria for accreditation of a certification body (Article 41) or a monitoring body for codes of conduct (Article 41).
• It aims to determine standard data protection clauses (Article 46(2)(d)).
• It aims to approve binding corporate rules (BCRs) (Article 47).
• Any matter of general application or producing effects in more than one Member State.
The EDPB must issue its opinion within eight weeks (extendable by six weeks for complex matters). The SA must take utmost account of the EDPB's opinion and communicate to the EDPB Chair whether it intends to maintain or amend its draft decision within two weeks.
3. Dispute Resolution by the EDPB (Article 65)
When the cooperation mechanism under Article 60 fails — specifically when a CSA has raised a relevant and reasoned objection that the LSA has rejected, or the LSA has not followed the objection — the EDPB is called upon to issue a binding decision.
Key aspects:
• The binding decision is adopted by a two-thirds majority of the members of the EDPB.
• The decision must be issued within one month (extendable by one further month for complex matters).
• The LSA (or the SA where the complaint was lodged) must adopt its final decision based on the EDPB's binding decision within one month of the EDPB's notification.
• The final decision must refer to the EDPB's opinion or binding decision and must be published on the EDPB's website.
This is the ultimate enforcement tool of the consistency mechanism — it ensures that no single SA can unilaterally override the concerns of other SAs in cross-border cases.
4. Urgency Procedure (Article 66)
In exceptional circumstances, a supervisory authority may derogate from the standard cooperation and consistency procedures by adopting provisional measures intended to produce legal effects on its own territory. These measures:
• Must have a specified validity period not exceeding three months.
• Must be adopted when there is an urgent need to act to protect the rights and freedoms of data subjects.
• Must be communicated to the other concerned SAs, the EDPB, and the European Commission without delay, along with the reasons for invoking the urgency procedure.
• If an SA requests an urgent opinion or an urgent binding decision from the EDPB, the EDPB must adopt it within two weeks by simple majority.
5. Exchange of Information (Article 67)
The European Commission may adopt implementing acts to specify arrangements for the electronic exchange of information between SAs and between SAs and the EDPB, particularly using a standardized format.
The Role of the European Data Protection Board (EDPB)
The EDPB (Articles 68–76) is the successor to the Article 29 Working Party and plays a central role in both cooperation and consistency mechanisms. Key functions include:
• Issuing guidelines, recommendations, and best practices to encourage consistent application of the GDPR.
• Advising the European Commission on data protection matters.
• Issuing opinions under the consistency mechanism (Article 64).
• Issuing binding decisions in dispute resolution cases (Article 65).
• Promoting cooperation between supervisory authorities, including through joint operations and mutual assistance.
• Reviewing practical application of guidelines and making recommendations.
• Maintaining the public register of EDPB decisions, SA decisions, and DPIA lists.
The EDPB is composed of the heads of each Member State's supervisory authority and the European Data Protection Supervisor (EDPS). The European Commission may participate in EDPB activities but does not have voting rights. The EDPB acts independently.
How the Cooperation and Consistency Mechanisms Work Together: A Practical Example
Consider a scenario where a large tech company headquartered in Ireland processes personal data of individuals across 15 EU Member States:
1. A data subject in France files a complaint with the French SA (CNIL).
2. CNIL determines that the Irish Data Protection Commission (DPC) is the lead supervisory authority because the company's main establishment is in Ireland.
3. CNIL transmits the complaint to the DPC under the cooperation mechanism.
4. The DPC investigates and prepares a draft decision, which it shares with all concerned SAs, including CNIL and potentially other SAs whose data subjects are affected.
5. Concerned SAs have four weeks to raise relevant and reasoned objections.
6. If CNIL or other CSAs raise objections that the DPC does not follow, the matter is referred to the EDPB under the dispute resolution mechanism (Article 65).
7. The EDPB issues a binding decision by two-thirds majority.
8. The DPC must adopt its final decision in line with the EDPB's binding decision.
This process has been used in several high-profile cases, including enforcement actions against major technology companies, demonstrating the practical significance of these mechanisms.
Key Definitions to Remember
• Cross-border processing (Article 4(23)): Processing that takes place in more than one Member State where the controller/processor is established in more than one Member State, OR processing in a single establishment that substantially affects or is likely to substantially affect data subjects in more than one Member State.
• Main establishment (Article 4(16)): For a controller with establishments in more than one Member State, the place of its central administration in the EU (unless decisions on purposes and means of processing are taken elsewhere). For a processor, the place of its central administration, or where the main processing activities take place.
• Relevant and reasoned objection (Article 4(24)): An objection to a draft decision that clearly demonstrates the significance of the risks posed by the draft decision regarding fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data.
• Lead supervisory authority (Article 56): The SA of the main establishment or single establishment of the controller or processor, responsible for coordinating cross-border enforcement.
• Concerned supervisory authority (Article 4(22)): An SA concerned by the processing because the controller/processor is established in its territory, data subjects in its territory are substantially affected, or a complaint has been lodged with it.
Common Challenges and Criticisms
For a well-rounded understanding (and potentially for exam scenarios), be aware of the following:
• Delays in cross-border enforcement: The cooperation mechanism has been criticized for leading to lengthy enforcement timelines, particularly in cases involving major technology companies.
• Disagreements between SAs: There have been several high-profile disputes where CSAs felt that the LSA was not taking sufficiently strong enforcement action, leading to increased use of the Article 65 dispute resolution mechanism.
• Interpretation of "main establishment": Determining which SA is the LSA can be complex, particularly for organizations with decentralized decision-making structures.
• The role of the EDPB has grown: The EDPB has increasingly used its binding decision power, which some view as a necessary check on LSA discretion and others view as centralizing too much power.
Exam Tips: Answering Questions on Cooperation and Consistency Mechanisms
The CIPP/E exam frequently tests knowledge of the cooperation and consistency mechanisms. Here are detailed strategies for success:
1. Know the Article Numbers
While the CIPP/E exam is not purely about reciting article numbers, knowing the key articles helps you quickly identify the correct answer:
• Article 56 — Lead supervisory authority / one-stop-shop
• Article 60 — Cooperation between LSA and CSAs
• Article 61 — Mutual assistance
• Article 62 — Joint operations
• Article 63 — Consistency mechanism (general)
• Article 64 — Opinion of the EDPB
• Article 65 — Dispute resolution by the EDPB
• Article 66 — Urgency procedure
2. Distinguish Between Cooperation and Consistency
A common exam trap is conflating these two mechanisms. Remember:
• Cooperation = SAs working together (LSA + CSAs), sharing information, conducting joint operations.
• Consistency = EDPB ensuring uniform application through opinions and binding decisions.
• The consistency mechanism is triggered when cooperation fails or when certain decisions require EDPB input.
3. Understand the Timeline
The exam may present scenarios and ask about time limits:
• 4 weeks: CSAs must raise relevant and reasoned objections to a draft decision.
• 1 month: SAs must respond to mutual assistance requests.
• 8 weeks (+6 weeks extension): EDPB must issue an opinion under Article 64.
• 1 month (+1 month extension): EDPB must issue a binding decision under Article 65.
• 2 weeks: EDPB must issue an urgent opinion or binding decision under Article 66.
• 3 months: Maximum validity of provisional measures under the urgency procedure.
4. Focus on the Relevant and Reasoned Objection
This is a frequently tested concept. Know that:
• It must clearly identify risks to fundamental rights and freedoms.
• If the LSA doesn't follow it, the matter goes to the EDPB.
• Not just any disagreement qualifies — it must meet the specific definition in Article 4(24).
5. Know When the EDPB Issues Opinions vs. Binding Decisions
• Opinions (Article 64): Issued proactively for certain types of decisions (BCRs, DPIA lists, standard clauses, codes of conduct criteria, etc.) or matters of general application. SAs must take utmost account but are not absolutely bound.
• Binding decisions (Article 65): Issued when there is a dispute — specifically when a relevant and reasoned objection is raised and not followed. These ARE binding on the SAs involved.
6. Understand the One-Stop-Shop in Context
Many exam questions test whether you understand how the one-stop-shop interacts with cooperation mechanisms. Remember:
• The one-stop-shop does NOT mean only one SA can act — it means one SA leads.
• Data subjects can still lodge complaints with their local SA, which will then cooperate with the LSA.
• The local SA of the data subject can exercise all its powers (not just refer to the LSA) when processing occurs mainly in its territory or substantially affects data subjects only in its territory.
7. Recognize Urgency Scenarios
If an exam question involves an immediate threat to data subjects' rights, think about the urgency procedure (Article 66). Key indicators:
• Urgent need to protect rights and freedoms.
• Provisional measures on the SA's own territory.
• Limited duration (max 3 months).
• Expedited EDPB decision (2 weeks).
8. Watch for Distractors About the European Commission
The Commission has certain roles (e.g., it can adopt implementing acts, it participates in EDPB meetings), but it does NOT:
• Vote in the EDPB.
• Issue binding decisions on data protection enforcement.
• Override SA decisions directly.
9. Practice Scenario-Based Questions
The CIPP/E exam often presents scenarios. When you see a cross-border case:
• First, identify the LSA (based on main establishment).
• Then, identify the CSAs (based on where data subjects are substantially affected).
• Determine what stage of the cooperation/consistency process is at issue.
• Apply the correct procedural rules and timelines.
10. Remember Key Voting Thresholds
• EDPB binding decisions under Article 65 require a two-thirds majority.
• Urgent binding decisions under Article 66 require a simple majority.
11. Don't Confuse the EDPB with National SAs
The EDPB does not directly enforce the GDPR against controllers or processors. It resolves disputes between SAs and ensures consistency. The actual enforcement decision is always adopted by the relevant SA (typically the LSA) based on the EDPB's guidance or binding decision.
Summary Table for Quick Review
Mechanism | Key Article | Key Feature
One-stop-shop | Art. 56 | LSA coordinates cross-border cases
Cooperation (LSA + CSAs) | Art. 60 | Draft decision, 4-week objection period
Mutual Assistance | Art. 61 | SAs help each other, 1-month response time
Joint Operations | Art. 62 | SAs conduct joint investigations
EDPB Opinion | Art. 64 | Opinions on BCRs, DPIA lists, codes, standard clauses; 8 weeks
EDPB Binding Decision | Art. 65 | Resolves disputes; two-thirds majority; 1 month
Urgency Procedure | Art. 66 | Provisional measures; max 3 months; EDPB decision in 2 weeks
Final Thoughts
The cooperation and consistency mechanisms are among the most structurally innovative features of the GDPR. They represent the EU's commitment to ensuring that a regulation designed to be directly applicable across all Member States is also applied consistently in practice. For the CIPP/E exam, mastering these mechanisms requires understanding not just the individual provisions, but how they interconnect — from the identification of the lead supervisory authority, through the cooperation process, to the potential escalation to the EDPB for a binding decision. Focus on the procedural flow, key timelines, the role of the EDPB, and the distinction between opinions and binding decisions, and you will be well-prepared to tackle any question on this topic.
