Cross-border processing refers to the processing of personal data that takes place across the borders of EU/EEA member states, either because the data controller or processor operates in multiple countries or because the processing substantially affects data subjects in more than one member state. The GDPR introduces specific mechanisms to handle such situations consistently.
When cross-border processing occurs, the one-stop-shop mechanism designates a lead supervisory authority based on the location of the organisation's main establishment, simplifying regulatory interaction. However, concerned supervisory authorities in other affected member states retain certain powers. Organisations engaged in cross-border processing must carefully document their data flows, establish clear legal bases for each jurisdiction and implement appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.