The group of national EU data protection regulators – the ‘Article 29 Working Party’ – has issued guidance and FAQs on who will regulate businesses that process data cross-border under a new EU data protection law. Multi-national businesses had been awaiting guidance on the question of which national regulator would be their ‘lead supervisory authority’ when the new EU General Data Protection Regulation takes effect in May 2018. Creating a ‘one-stop-shop’ for international business is a core principle of the GDPR: the aim is to minimise the need for multi-national businesses to deal with multiple regulators. National regulators differ in their approach, so this is an important factor in allowing businesses to understand how the GDPR is likely to apply to them. The new guidance is practical and includes some useful examples.

Under the GDPR, the identity of a business’s lead supervisory authority is dictated by where its ‘main establishment’ is. The Art. 29 WP gives the following guidance.

  • Multifactorial assessment. For businesses established in more than one member state, identifying the ‘main establishment’ can be complex - although it’s more straightforward for those with a centralised decision-making HQ and branch-type structure. Examples of questions businesses should ask include:
    • Where are decisions about the purposes and means of the data processing given final ‘sign off’?
    • Where are decisions about business activities that involve data processing made?
    • Where does the power to have decisions implemented effectively lie?
  • There may be more than one lead supervisory authority. The identity of the lead supervisory authority may vary depending on the business’s activities. For example, a business that conducts banking and insurance activities may have one lead supervisory authority for its banking activities and another for insurance.
  • No ‘forum shopping’.The GDPR doesn’t allow ‘forum shopping’ on the choice of lead authority. Authorities may challenge and investigate a business’s decision about who its lead authority is.
  • Borderline cases. If a company can’t identify its main establishment, but still wants to benefit from the one-stop-shop, it can make a pragmatic decision to designate an entity to act as its main establishment. This entity must have the authority to implement decisions about data processing and take liability for it, including having sufficient assets. Without this kind of pragmatic approach, it will not be possible to designate a lead authority.
  • Technical means. The guidance reiterates the GDPR’s approach that the presence and use of technical means and technologies for data processing don’t in themselves determine ‘main establishment’.

The guidance also reiterates the GDPR by saying that, where a business appoints a data processor, the business’s own lead supervisory authority will be the relevant one.