Identifying a controller or processor’s lead supervisory authority
February 15, 2017
In December 2016, the Article 29 Working Party (“WP29”) published its Guidelines for Identifying a Lead Supervisory Authority (the "Guidelines").
During the negotiation of the General Data Protection Regulation ("GDPR"), the ‘one-stop-shop’ mechanism was seen as a solution to the problems faced by multi-national organisations, operating across multiple EU member states. These organisations are currently subject to a patchwork of differing national implementations of data protection law, and differing enforcement approaches. The introduction of the Lead Supervisory Authority system (the one-stop-shop) was therefore seen as one of the silver linings in the otherwise more prescriptive GDPR regime.
Who are the Guidelines relevant to?
The Guidelines will be relevant to multi-nationals operating across Europe. At their heart, the Guidelines apply where a controller or processor is carrying out "cross-border processing" of personal data.
‘Cross-border processing’ occurs where an organisation:
- has establishments in two or more EU Member States and the processing of personal data takes place in the context of their activities in those establishments. For example, a retailer with establishment in both Italy and Spain, processing data about, for example, employees and customers in both countries.
- only carries out processing activities in the context of its establishment in one EU Member State, but the activity substantially affects, or is likely to substantially affect data subjects in more than one EU Member State. For example, an insurer established solely in France, where decisions are made which significantly affect customers in Portugal.
What is a lead supervisory authority?
Put simply, the lead supervisory authority will be the main data protection regulator that the organisation deals with; the one-stop-shop.
A lead supervisory authority will be the authority that the organisation contacts for compliance activity such as registering a data protection officer, notifying a risky processing activity or notifying a data security breach. The lead supervisory authority will handle data protection complaints relating to that organisation, conduct investigations or undertake enforcement activity relating to cross-border processing.
Will this lead to forum-shopping?
WP29 is clear; the GDPR does not permit ‘forum-shopping’. Whilst it is up to controllers to identify their lead supervisory authority, that decision can subsequently be challenged by supervisory authorities. The burden of proof sits with the controller.
How do organisations determine their lead supervisory authority?
Firstly, they need to identify their ‘main establishment’ in the EU.
‘Main establishment’ for a controller will usually be determined by looking to where the organisation’s central administration is in the EU. The central administration is the place where decisions about the purposes and means of processing are taken.
The term to ‘central administration’ works well for organisations with centralised decision-making headquarters. However, the decision system of a group of companies could be more complex, giving independent powers to different establishments. In this scenario, the ‘central administration’ test doesn’t work. The WP29 says that organisations will need to ask themselves the following questions, in order to identify their ‘main establishment’:
- Where are decisions about the purposes and means of the processing given final ‘sign off’?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decision implemented effectively lie?
- Where is the Director (or Directors) with overall management responsibility for the cross border processing located?
What is the impact of Brexit on the one-stop-shop system?
The one-stop-shop benefit only applies to organisations with a main establishment within the EU. Post-Brexit, there will be a significant number of UK-headquartered companies with no central administration in the EU and where none of the company’s EU establishments are taking decisions about the processing. The same description could equally apply to US-headquartered companies.
The Guidelines state that, unless the organisation designates an establishment in the EU that will act as its main establishment (and that establishment has the authority to implement decisions about processing activities), it will not be possible to designate a lead supervisory authority. Consequently, it will not be possible to benefit from the ‘one-stop-shop mechanism’.
Depending on what form Brexit ultimately takes, those UK-headquartered companies with no main establishment in the EU may see the elusive one-stop-shop system escape them. They may be back to the status quo of dealing with multiple regulators across every EU member state that they are active in, through their local representative. In addition, the WP29 is clear: the mere presence of representative in a Member State does not trigger the one-stop shop system.
What should organisations be doing now?
Clarity is key here; as part of their wider GDPR programme, many organisations will already be mapping their data processing operations in order to obtain a clear picture of their data flows and their cross-border data processing activities.
They will also be having some important conversations about the location of their main establishment and, crucially, will be working to ensure that their decision would stand up to regulatory scrutiny. In that sense, the Guidelines serve as a warning shot; forum-shopping will be challenged, organisations must be prepared to provide evidence of their main establishment, and demonstrate how they got to that decision.