_The Article 29 Working Party (WP), comprised of members of all the National Data Protection Authorities of the European Union, on 13 December 2016 adopted Guidelines identifying a controller or processor’s lead supervisory authority.
As a reminder, the lead supervisory authority is defined as the national data supervisory authority responsible for dealing with the cross-border processing by a data controller (DC) or data processor (DP). The lead authority will be the sole interlocutor for that DC or DP.
Cross-border processing takes place under the GDPR when:
- the activities of establishments of the DC or DP take place in more than one Member State; or
- the activities of a single establishment of the DC or DP substantially affect or are likely to substantially affect data subjects in more than one Member State.
The concepts of ‘substantially affect’ or ‘likely to substantially affect’ are meant to exclude from the definition of cross-border processing those activities with little or no effect on individuals of another Member State, according to the Guidelines.
Under the GDPR, the lead supervisory authority will come from the main establishment of the DC or DP, meaning:
- the central administration of the DC or DP; or
- another establishment making decisions about the purposes and means of the processing which is able to enforce those decisions or, for a DP, the establishment where the main processing activities take place.
In the case of multiple establishments in the EU, the Article 29 WP recommends taking into consideration the following criteria:
- Where are the decisions about the purposes and means of the processing given final ‘sign off’?
- Where are the decisions about business activities that involve data processing made?
- Where does the power lie to have decisions implemented effectively?
- Where is the Director (or Directors) located who has (have) overall management responsibility for the cross-border processing?
- Where is the controller or processor registered as a company, if in a single territory?
The DC itself identifies where its main establishment is located, and therefore which supervisory authority is its lead authority. However, this can be challenged afterwards by the concerned supervisory authority. The GDPR does not permit ‘forum shopping’.
Where a company has no main establishment in the EU, the national authorities (or ultimately the European Data Protection Board) will decide among themselves which one will be designated as the lead authority.
Finally, the Guidelines clarify the concept of ‘concerned supervisory authority,’ i.e. the authority empowered to handle a matter that has been refused by the lead authority.
For any additional information on this topic, please contact Emmanuelle Ragot, Partner and Head of IP/TMT.