Overview
This article requires supervisory authorities to provide mutual assistance to other authorities, including sharing information and cooperating on requests such as inspections or investigations. Mutual assistance ensures consistent GDPR application across Member States. Responses must be provided within one month, using standardized electronic formats. Fees are generally not charged, except for exceptional costs. Refusals are permitted only if the assisting authority lacks competence or compliance would violate applicable law.
Key Principles
Collaboration: Authorities must assist each other to ensure consistent enforcement of GDPR.
Timely Response: Responses to requests must be provided within one month.
Standardization: Use standardized electronic formats for communication.
Limited Fees: Charges may only be applied for exceptional costs.
Refusal Conditions: Assistance can only be refused if the authority lacks competence or compliance violates the law.
Organizational Applicability
This article applies to:
Supervisory authorities in all EU Member States.
Lead and concerned authorities coordinating cross-border GDPR enforcement.
Teams responsible for regulatory cooperation, investigations, and compliance oversight.
Implementation Requirements
Establish procedures for mutual assistance requests, including inspections and investigations.
Ensure responses are delivered within one month using standardized formats.
Document assistance provided and any exceptional costs or refusals.
Verify that refusals are justified by lack of competence or legal constraints.
Implementation Guidance
Maintain a registry of mutual assistance requests and responses.
Train staff on communication protocols, timelines, and permissible refusal conditions.
Coordinate with other authorities to standardize formats and data sharing procedures.
Periodically review mutual assistance processes to ensure compliance and efficiency.
Periodic Review
Frequency: Annually or when cross-border processing or regulatory requirements change.
Responsible Role: Supervisory authority leadership, Compliance Team, or Legal.
Outcome: Ensure timely, standardized, and legally compliant assistance between authorities.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for supervised entities failing GDPR obligations.
Legal Exposure: Enforcement actions for delayed, inadequate, or unlawful assistance.
Reputational Damage: Loss of trust in regulatory coordination and GDPR enforcement.
Operational Risk: Ineffective mutual assistance may impede cross-border investigations and compliance.