Artifact GuideEU

EU GDPR Lead Authority and One-Stop-Shop

Use this guide to decide whether GDPR one-stop-shop routing is available, which establishment anchors the lead supervisory authority, and what evidence should support that position.

Focused on main establishment, cross-border processing, Article 56 competence, Article 60 cooperation, and evidence records that avoid unsupported national-procedure assumptions.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The GDPR one-stop-shop is not a generic shortcut to one preferred regulator. It depends on cross-border processing and a controller or processor main establishment or single establishment in the Union. The practical record should show why Article 56 points to a particular lead supervisory authority, which other supervisory authorities may be concerned, and how Article 60 cooperation can affect an investigation or decision.

Section 1

When GDPR one-stop-shop routing is available

Start with the processing activity, not the corporate group. GDPR Article 4(23) treats processing as cross-border when it is carried out in the context of establishments in more than one Member State, or when processing in one Member State substantially affects or is likely to substantially affect data subjects in more than one Member State.

Article 56 then connects that cross-border processing to the supervisory authority of the controller's or processor's main establishment or single establishment. If that link is missing, the page should not claim a one-stop-shop outcome.

  • Identify the specific processing operation, product, data flow, or incident before naming a lead authority.
  • Record each Union establishment involved in deciding or carrying out the processing.
  • Separate cross-border processing evidence from unrelated multinational presence.
  • List Member States where data subjects are substantially affected or likely to be substantially affected.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 4(23) defines cross-border processing and Article 56 links cross-border processing to the lead supervisory authority.
Section 2

How to evidence the main establishment

For a controller with establishments in more than one Member State, GDPR Article 4(16) points first to the place of central administration in the Union. That changes if decisions on the purposes and means of the processing are taken in another Union establishment and that establishment has power to implement those decisions.

For a processor with establishments in more than one Member State, the main establishment is its central administration in the Union. If there is no central administration in the Union, Article 4(16) points to the Union establishment where the processor's main processing activities take place, to the extent the processor is subject to specific GDPR obligations.

  • Keep governance evidence showing where purposes and means are decided for the processing activity.
  • Keep implementation evidence showing which establishment can make those decisions operational.
  • For processors, document the Union central administration or the Union establishment carrying out the main processing activities.
  • Do not treat a sales office, representative, or local contact point as the main establishment unless the Article 4(16) facts support it.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 4(16) defines main establishment separately for controllers and processors.
Section 3

Article 56 lead authority mechanics

Article 56(1) makes the supervisory authority of the main establishment or single establishment competent to act as lead supervisory authority for cross-border processing, using the Article 60 cooperation procedure.

Article 56 also preserves local competence for complaints or possible infringements that relate only to an establishment in one Member State or substantially affect data subjects only in that Member State. In those cases, the local supervisory authority informs the lead authority, and the lead authority has three weeks to decide whether it will handle the case under Article 60.

  • Record the proposed lead supervisory authority and the Article 4(16) facts supporting it.
  • Identify supervisory authorities concerned because a controller or processor is established in their Member State, data subjects there are substantially affected or likely to be substantially affected, or a complaint was lodged there.
  • When Article 56(2) may apply, preserve the local-establishment or local-effect facts separately from the lead-authority analysis.
  • If the lead supervisory authority handles the matter, expect Article 60 cooperation; if it does not, the local supervisory authority handles the matter under Articles 61 and 62.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 56 sets lead authority competence, local case handling, the three-week lead-authority decision point, and sole-interlocutor status.
Section 4

What Article 60 means for one-stop-shop evidence

Article 60 is a cooperation procedure between the lead supervisory authority and the other supervisory authorities concerned. The lead authority must exchange relevant information, submit draft decisions for opinion, and take the views of concerned authorities into account.

The one-stop-shop record should therefore anticipate more than a single regulator contact. It should preserve the facts, establishments, affected Member States, complaint locations, processing descriptions, and compliance measures needed to support a draft decision, an objection process, or implementation across Union establishments.

  • Maintain a single processing fact record that can be shared consistently across concerned authorities.
  • Track which establishments and Member States the decision would cover.
  • Record remedial measures in a form that can be implemented across all relevant Union establishments.
  • Avoid promising a fixed Article 60 timeline beyond the specific periods stated in the GDPR for objections and revised drafts.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 60 describes cooperation, draft decisions, relevant and reasoned objections, revised drafts, final notification, and compliance measures.
Section 5

One-stop-shop evidence checklist

Use this checklist when opening a new market, changing a processing model, responding to a complaint, or preparing a breach route for cross-border processing. The goal is to make the lead-authority position auditable without adding unsupported national-procedure claims.

If a fact is uncertain, mark it as unresolved instead of selecting a convenient authority. The unresolved item should name the missing governance, establishment, affected-data-subject, or complaint-location evidence.

Does having customers in several EU Member States automatically create a GDPR lead supervisory authority?

No. The analysis still needs cross-border processing under Article 4(23) and a controller or processor main establishment or single establishment that Article 56 can attach to.

Can the company choose the most convenient supervisory authority?

No. The lead supervisory authority follows the GDPR facts: the main establishment or single establishment for the relevant cross-border processing, subject to Article 56 mechanics.

What should be saved as one-stop-shop evidence?

Save the processing description, Union establishment map, Article 4(16) main-establishment analysis, Article 4(23) cross-border-processing analysis, concerned-authority list, and Article 60 cooperation records.

  • Processing operation is described with controller or processor role, establishments involved, and affected data-subject Member States.
  • Cross-border processing analysis is tied to Article 4(23), not only to customer geography or group structure.
  • Main establishment analysis is tied to Article 4(16) facts about central administration, purpose-and-means decisions, implementation power, or processor main processing activities.
  • Lead supervisory authority, concerned supervisory authorities, and any Article 56(2) local-case facts are recorded separately.
  • Article 60 evidence pack includes facts, measures, decision owners, affected establishments, and implementation records for all relevant Union establishments.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
GDPR Articles 4(16), 4(23), 55, 56, and 60 support the checklist fields for one-stop-shop evidence.
Recommended next step

Build a cited one-stop-shop record

Sorena can help turn the Article 4, Article 56, and Article 60 checks on this page into owner assignments, evidence requests, and reusable regulator-routing records.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about main establishment, cross-border processing, lead supervisory authority routing, and Article 60 cooperation.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR one-stop-shop evidence, unresolved facts, and regulator-routing assumptions with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • GDPR Articles 4(16), 4(23), 55, 56, and 60 support the checklist fields for one-stop-shop evidence.
"sole interlocutor of the controller or processor"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.