Article 56 GDPR (Competence of The Lead Supervisory Authority)

Article 56 of GDPR: Competence of The Lead Supervisory Authority

Article 56 of GDPR establishes the competence of the supervisory authority when there is cross-border processing of personal data by data controllers or data processors.

Supervisory authority of an organization’s main establishment (Article 56(1) GDPR)

The supervisory authority of the data controller or data processor’s main establishment will be competent to act as the lead supervisory authority when dealing with cross-border data processing.

Competence to handle complaints (Article 56(2) GDPR)

Each supervisory authority will have the competence to handle complaints filed with it when:

  1. The subject matter relates to an organization in its territory 
  2. When data subjects in its territory are substantially affected

Notification to lead supervisory authority (Article 56(3) GDPR)

When a supervisory authority believes it has competence over an issue, it will notify the lead supervisory authority as soon as possible.

The lead supervisory authority will decide, within 3 weeks, whether or not it will handle the issue.

Lead supervisory authority to handle a case (Article 56(4) GDPR)

Following the notification of a possible competent supervisory authority about a case, if the lead supervisory authority decides to handle a case, it will cooperate with the other competent supervisory authorities to reach a consensus and exchange information with one another.

Lead supervisory authority not to handle a case (Article 56(5) GDPR)

Following the notification of a possible competent supervisory authority about a case, if the lead supervisory decides not to handle the case, then the supervisory authority that had issued the notification will handle the matter.

Sole point of contact (Article 56(6) GDPR)

The lead supervisory authority will be the sole point of contact with the data controller or data processor as it relates to cross-border processing of personal data.

Recitals applicable to Article 56 of GDPR

Relevant Recitals: 124, 127, 128

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 56 or relevant recitals


GDPR Text: Article 56 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)