GDPR Cross-Border Penalties: One-Stop-Shop and Lead Supervisory Authority

Last updated: 2026-04-05 — ComplianceStack Editorial Team

The GDPR's one-stop-shop mechanism was designed to simplify compliance for companies operating across multiple EU member states — one lead supervisory authority, one set of proceedings, one decision. In practice, the mechanism has become the primary vehicle for the largest GDPR fines in history. The EDPB's Article 65 binding dispute resolution authority gives pan-European regulatory consensus a binding override over national DPA decisions: the EDPB repeatedly directed Ireland's DPC to impose higher fines than its draft decisions, culminating in the €1.2B Meta penalty. Companies that once viewed Ireland as a softer lead DPA now face the same EDPB-driven enforcement pressure regardless of headquarters location.

Regulatory Authority: GDPR Articles 56 (lead supervisory authority), 60 (cooperation), 65 (EDPB binding decisions), 66 (urgency procedure), 83 (fines); EDPB Binding Decision 01/2023; CJEU Schrems II (C-311/18, 2020); EDPB Coordinated Enforcement Framework 2024–2025

Penalty Tier Breakdown

Article 56 — Lead Supervisory Authority (One-Stop-Shop)

Structural provision — determines which DPA governs cross-border processing; no standalone fine

Annual max: Critically determines whether fines reach their full potential via EDPB escalation

When a company processes personal data in multiple EU member states, the supervisory authority of the member state where the company has its main establishment acts as lead supervisory authority. Main establishment is the central EU administration or where decisions about data processing purposes and means are taken. Companies can influence which DPA leads by their EU headquarters choice — many US tech companies chose Ireland. All concerned DPAs are notified and can raise relevant objections to draft decisions under Article 60.

Example: A US-based SaaS company opens a Dublin subsidiary and ensures its EU data processing decisions are formally taken there. The Irish DPC becomes the company's lead supervisory authority for all GDPR enforcement across 30+ EEA countries — one regulator instead of 30.

Article 60 — Cooperation Between Lead and Concerned DPAs

No standalone fine; Article 60 objections can escalate cases to EDPB and materially increase final fine amounts

Annual max: 4–6 week objection window; disagreement triggers EDPB Article 65 referral

The lead supervisory authority must share draft decisions with all concerned supervisory authorities and provide them 4 weeks (extendable to 6 weeks) to raise relevant and reasoned objections. If the lead SA disagrees with an objection, the matter goes to the EDPB for binding resolution. Objections from Germany, France, and the Netherlands have materially influenced major cases by pushing for higher fines or broader compliance orders than Ireland's DPC initially proposed.

Example: The Irish DPC prepares a draft decision recommending a €50M fine for consent violations. Germany's Hamburg DPA objects under Article 60, arguing the fine is insufficient and the processing ban should be broader. Disagreement triggers mandatory referral to the EDPB under Article 65.

Article 65 — EDPB Binding Dispute Resolution

EDPB binding decisions can increase fine amounts, extend orders, or require processing suspensions beyond what the lead SA proposed

Annual max: Binding decisions must be implemented within 1–3 months; non-implementation results in follow-on EDPB proceedings

When lead and concerned DPAs cannot resolve disagreements, any concerned DPA can refer the matter to the EDPB for binding dispute resolution. The EDPB's binding decision overrides the lead SA's draft. Article 65 was the mechanism that drove Ireland's DPC to impose significantly higher fines in multiple Meta cases: EDPB Article 65 orders have directed the DPC to find additional violations, impose higher fine percentages, and require processing suspensions within defined timeframes. The €1.2B Meta fine was an EDPB Article 65 directed outcome.

Example: The EDPB's Binding Decision 01/2023 instructed the Irish DPC — which had proposed a smaller fine in its draft — to find Facebook's SCCs inadequate for US data transfers, impose a €1.2B fine, and require suspension of data transfers within 5 months. The DPC implemented the binding decision.

Article 66 — Urgency Procedure (Local DPA Action)

Provisional measures including processing bans for up to 3 months without waiting for lead SA

Annual max: Used when lead SA is perceived as insufficiently urgent; creates immediate compliance obligations

Any supervisory authority can adopt provisional measures against a controller or processor in its territory if there is an urgent need to protect data subjects' rights — without waiting for the lead SA's decision. Urgency measures can include immediate processing bans. Italy's Garante used Article 66 to temporarily ban ChatGPT in March 2023, forcing OpenAI to implement age verification and transparency improvements before restoring Italian market access. Urgency procedures signal that local DPAs will not wait indefinitely for lead SA action.

Example: The French CNIL adopts an urgency ban on a US AI company's processing of French users' biometric data, finding an urgent risk of irreversible harm. The ban takes immediate effect while Ireland's DPC (the lead authority) opens a formal Article 60 proceeding. The company must cease French biometric processing within 48 hours.

How Penalties Are Calculated

Cross-border GDPR cases follow the standard Article 83(2) calculation methodology but the multi-authority process creates systematic upward fine pressure through two mechanisms. First, EDPB Article 65 binding decisions have consistently directed lead SAs to increase fine amounts beyond initial drafts — in Meta's case by an order of magnitude. Second, concerned DPAs' Article 60 objections establish a public record of the enforcement severity demanded across the EU, which the lead SA must address in its final decision. For managing cross-border enforcement risk: (1) ensure EU main establishment is in a member state with predictable enforcement; (2) engage proactively with the lead SA before enforcement action; (3) implement EDPB guidelines and recommendations (Article 83(2)(j) mitigation factor); (4) conduct Transfer Impact Assessments for all data flows to non-adequate countries. The EDPB's 2024 Coordinated Enforcement Framework focused on data subject rights; 2025 CEF targets AI system data processing across all EU DPAs simultaneously.

Recent Enforcement Actions

2023 — Meta Platforms Ireland — EDPB Article 65 Override

Cross-border transfer of EU Facebook users' data to the US without adequate safeguards. Irish DPC initially proposed a materially lower fine in its draft decision; EDPB Binding Decision 01/2023 directed DPC to find SCCs inadequate, impose €1.2B fine, and require transfers suspension within 5 months.

Penalty: €1,200,000,000. The EDPB's Article 65 binding decision was the direct cause of the record fine. Without EDPB intervention, Ireland's DPC would have imposed a significantly lower penalty.

Source: EDPB Binding Decision 01/2023; Irish DPC Final Decision, May 2023

2023 — TikTok Technology Limited (Irish DPC + Article 60 objections)

Transfer of EU children's personal data to China without adequate transfer safeguards; failure to verify ages of child users processing their data; consent failures for minor accounts

Penalty: €345,000,000 — one of the largest fines for children's data protection violations. Concerned DPAs from across the EU submitted Article 60 objections that strengthened the final compliance order.

Source: Irish DPC Decision, September 2023

2023 — ChatGPT / OpenAI (Italian Garante, Article 66)

No valid lawful basis for mass training data collection, lack of transparency, no age verification for minors, and inaccurate outputs about real individuals — Italian Garante found urgent risk warranting immediate temporary ban

Penalty: Processing ban lifted after 1 month following OpenAI's compliance improvements. Follow-on investigation led to €15M fine in December 2024 — demonstrating Article 66 urgency as the start, not the end, of enforcement.

Source: Italian Garante Urgency Order, March 2023; Final Decision, December 2024

2024 — LinkedIn Ireland — Article 60 Cooperation (Irish DPC)

Relied on legitimate interests (Article 6(1)(f)) for behavioral analysis and targeted advertising without valid basis; multiple concerned DPAs submitted Article 60 objections driving broader compliance findings than Ireland's initial draft

Penalty: €310,000,000. The cross-border cooperation mechanism resulted in a broader compliance order than Ireland's DPC initial draft, demonstrating sustained pressure concerned DPAs place on lead SA decisions.

Source: Irish DPC Final Decision, October 2024

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

What is the one-stop-shop mechanism and does it always apply?

The one-stop-shop (Article 56) applies when a company has cross-border data processing — processing data in multiple EU member states, or processing that affects data subjects in multiple states. The lead supervisory authority is the DPA where the company's main EU establishment is located. The LSA handles the full investigation and drafts the decision, consulting concerned DPAs along the way. The one-stop-shop does NOT apply to purely local processing — a German company processing only German employees' data locally is handled solely by the relevant German state DPA. Non-EU companies without EU establishments can be investigated by any DPA in a member state where their processing affects data subjects, with no single lead SA.

Can a company avoid EDPB oversight by choosing a softer lead supervisory authority?

The strategy has become significantly less effective. While companies can choose their EU main establishment to determine their lead SA, the Article 60 cooperation mechanism gives all concerned DPAs the right to raise objections, and EDPB Article 65 binding decisions override the lead SA when there is disagreement. Ireland's DPC has been directed by EDPB Article 65 orders to impose materially higher fines than its initial proposals in multiple high-profile cases including Meta, WhatsApp, and LinkedIn. The EDPB's 2023 binding decision against Meta demonstrated that choosing a traditionally cautious lead SA provides limited protection against pan-European enforcement consensus driven by other member states' DPAs.

How quickly can a local DPA act under the Article 66 urgency procedure?

Immediately. Article 66 urgency measures can be adopted and take effect the same day the DPA issues them, without waiting for the lead SA or the Article 60 consultation process. The local DPA must notify the EDPB and all other DPAs simultaneously with adopting the measure. The provisional measure can last up to 3 months, after which it must be referred to the EDPB for possible extension via Article 65 binding decision if urgent enforcement is still needed. Italy's March 2023 ChatGPT ban was implemented within 24 hours of the Garante's decision. The Article 66 urgency procedure is particularly significant for AI systems, biometric data processing, and any large-scale processing affecting children where waiting for a cross-border Article 60 process could cause irreversible harm.