Guidelines published for identifying a controller or processor’s Lead Supervisory Authority
New guidelines have been published which help to iron out some of the thornier issues in GDPR. This includes identifying who should be the Lead Supervisory Authority.
This set of guidelines is especially helpful for those companies that carry out “cross-border processing of personal data.” GDPR Article 4(23) defines this as processing that takes place when a controller or processor has establishments in multiple Member States. Also where the controller or processor is established in a single Member State but the processing “substantially affects or is likely to substantially affect” data subjects in multiple Member States. In these situations, the GDPR allows controllers and processors to designate a single local authority. This authority acts as the “lead supervisory authority” charged with overseeing their operations from a data protection perspective. This has become known as the “one stop shop” approach. The GDPR’s provisions relating to “lead supervisory authorities” are meant to simplify and streamline privacy regulation.
These guidelines recognise that the designation of a lead supervisory authority necessarily is a very fact-specific inquiry. Although they provides some generalised advice, it also includes illustrative examples. To that end, the guidelines also include an annex meant to guide companies going through the designation process. Some of the more general points are described below.
Identifying the Lead Supervisory Authority
- Companies with a main establishment in the EU
- For controllers, the GDPR provides that the lead supervisory authority should be the authority in the Member State in which the controller has its “main establishment”. That is, the place where the controller has its “central administration” and makes “decisions on the purposes and means of the processing.”
- The guidelines acknowledge that a controller could have multiple decision-making centres. It provides several detailed examples as to how to determine which centre is the “main establishment.”
- Companies not established in the EU.
- If a company doesn’t have any establishment in the EU, it cannot take advantage of the one-stop shop system. It must deal with the supervisory authorities in each Member State in which it operates. Simply having a single representative in one Member State does not mean that person can serve as a “main establishment” for one-stop shop purposes. This may prove to be an especially large headache for small companies that reach out to consumers in multiple EU countries but do not have the resources to create any EU establishments (i.e. some smaller app companies and start-ups), as they will have to expend the time and resources to tailor their compliance practices to each Member States.