• Home
  • News & Insights
  • Article 29 Data Protection Working Party GDPR Guidelines for identifying a data controller or processor’s lead supervisory authority

26 Jan 2017

Article 29 Data Protection Working Party GDPR Guidelines for identifying a data controller or processor’s lead supervisory authority

Linkedin

Introduction

If a data controller or data processor is carrying out cross-border processing of personal data, Article 56 of the General Data Protection Regulation (the GDPR) requires one 'lead supervisory authority' (LSA) to have primary responsibility for dealing with cross-border data processing activities.

The identification of a LSA is described by the Article 29 Data Protection Working Party (WP29) as the cornerstone of a 'one-stop-shop' system.

The LSA will:

  • liaise with the data controller or processor in relation to cross-border data protection issues; and
  • be responsible for co-ordinating any multi-jurisdictional investigations involving other 'concerned' supervisory authorities.

The WP29 has published updated guidelines relating to the key concepts involved in identifying a LSA (the Guidelines) which are summarised below.

Cross-border data processing

Cross-border data processing can occur in one of two ways:

  • when the processing is undertaken in several establishments in more than one Member State; or
  • where the processing takes place in one Member State but substantially affects or is likely to substantially affect data subjects in other member states.

The WP29 Guidelines indicate that to qualify as data processing which "substantially affects" a data subject, the processing must be more likely than not to have a substantial impact on another data subject in a different jurisdiction, taking into account the number of data subjects likely to be affected the purpose of the processing and factors including the likelihood of causing damage, loss or distress to individuals or leaving an individual open to discrimination or unfair treatment.

Main Establishment

A LSA is determined according to where that organisation's main establishment is located. Data controllers and processors should identify a single LSA based on the location of their main establishment, provided that the main establishment is within the European Union (EU).

Data Controllers: If a data controller has establishments in more than one Member State its LSA will be the place of its central administration in the EU, or the place where decisions are made, and implemented, as to the purposes and means of processing personal data. Data controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

Data Processors: If a data processor has establishments in more than one Member State its LSA will be the place of its central administration in the EU or, if it has no central administration in the EU, the place where the main processing activities of the processor take place. However, in cases involving both controller and processor, the competent LSA will be the LSA for the controller (provided that the controller is established in the EU).

It is possible for an organisation to have more than one main establishment. This situation may arise as a consequence of an organisation processing personal data for various separate purposes in different establishments. In these situations it will be essential for companies to identify precisely where the decisions on purpose and means of processing are taken.

In such cases, or where the main establishment is not considered to be the location of its central administration in the EU, the WP29 suggests answering the following questions to determine the location of a data controller’s main establishment:

  • Where are decisions relating to processing given the final sign off?
  • Where are general decisions about business activities that involve data processing taken?
  • In which location does the power to implement processing decisions lie?
  • Where is the director(s) that have overall management responsibility for cross-border processing located?
  • Where is the data controller or the data processor registered?

Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR (e.g. registering a data protection officer; notifying a risky processing activity or notifying a data security breach).

A borderline case may arise if an organisation has no central administration in the EU and no data processing decisions are made by the organisation's EU establishments, but a company is keen to benefit from the 'one-stop-shop' principle. In this situation, an organisation should pro-actively nominate one of its EU-based establishments to be its main establishment in order to designate a LSA. However, the nominated organisation must have:

  • authority to implement processing decisions;
  • authority to take liability for processing decisions; and
  • sufficient assets to cover potential enforcement action by the LSA.

In an effort to prevent 'forum shopping', if an organisation incorrectly nominates a LSA (i.e. relying on a main establishment which does not satisfy the above requirements), supervisory authorities or the European Data Protection Board (which will replace the WP29 when the GDPR comes into force) will be able to investigate the establishments concerned to establish if a LSA has been appropriately nominated and recommend that another LSA be appointed.

Concerned Supervisory Authorities

The concept of a concerned supervisory authority is meant to ensure that the LSA principle does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the LSA's jurisdiction are substantially affected by a data processing activity, or a complaint has been lodged with that supervisory authority.

When a LSA decides not to handle a case, the concerned supervisory authority that informed the LSA shall handle it. The GDPR requires the LSA and the concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction, and with an effective remedy for data subjects.

Below is a useful diagram for identifying a data controller or processor’s LSA:

Identifying a data controller or processor's LSA
Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London