The key European data protection body, Article 29 Data Protection Working Party, recently published the Guidelines WP 244 for identifying a controller or processor’s lead supervisory authority. Our blog editor Vasiliki explores what they entail.
In cases of cross-border processing activity, the One Stop Shop principle will be used, by means of appointing a lead supervisory authority. Such body will deal with the various compliance duties under the GDPR, such as the registration of a data protection officer and the notification of a data security risk or a processing activity with high risk. The recently published guidelines intend to clarify to whom the lead supervisory authority apply and how to identify it.
To whom does the lead supervisory authority apply?
The term “cross border processing activity” is explained further divided in two categories:
personal data processing which takes place in more than one EU Member State where the controller or processor is established in more than one Member State;
processing of personal data which takes place in a single establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Although the “substantial effect” will be decided on case by case basis, the Article 29 WP provided a non exhaustive list to assist in the identification of the requirement. Specifically, personal data processing is deemed as substantially affecting other EU members, when it causes, or is likely to cause, damage, loss or distress to individuals; has, or is likely to have, an actual effect in terms of limiting rights or denying an opportunity; affects, or is likely to affect individuals’ health, well-being or peace of mind; affects, or is likely to affect individuals’ financial or economic status or circumstances; leaves individuals open to discrimination or unfair treatment.
How to identify the correct lead supervisory authority?
Next step after ensuring that a data processing activity is of cross border nature and thus subject to a lead supervisory authority, is to identify the appropriate authority. Article 56 of GDPR indicates that the lead authority will be the supervisory authority of the country where the main establishment of the organisation is based. Furthermore, the main establishment is better described as the place of the central administration of the organisation, where decisions about the purposes and means of the processing are taken.
Borderline cases
In borderline cases that a company performs various cross-border processing activities and the decisions on the means and purposes of processing are taken in different establishments, more than one lead supervisory authority will apply.
Controller – processor
According to the GDPR, data controllers and data processors constitute the two entities who may be subject to the regulation rules. A controller is responsible of how and why personal data is processed and a processor acts on the controller’s behalf. The guidelines text clarifies the cases of controller’s and processor’s coexistence in the EU, or solely controller’s or processor’s EU existence.
If the cross border processing involves only a controller or both a controller and a processor, the leading supervisory authority for the controller will prevail. In the event that only a processor is operating in the EU in relation to such activities, a lead authority for the processor should be identified.