The Article 29 Data Protection Working Party (WP29) has published guidance on how to identify a controller or processor’s lead supervisory authority, which has the primary responsibility for dealing with cross-border data processing activities.
The question of which supervisory authority is competent is only relevant where a controller or processor is carrying out cross-border processing activities. In the GDPR, there are two hypotheses regarding cross-border processing activities:
- The controller and/or processor is established in more than one Member State and processes personal data in the context of the activities of (at least some) of those establishments. In this case, the supervisory authority of the main establishment of the controller or processor will be competent.
- Processing of personal data takes place in the context of a single establishment of a controller or processor but substantially affects or is likely to substantially affect data subjects in more than one Member State. In this case, the lead supervisory authority is the one of the single establishment in the single Member State.
The WP29 has provided guidelines on what can be understood under the concept of the ‘substantial effect’ as well as on how the ‘main establishment’ can be determined.
The WP29 indicates that the concept of ‘substantial effect’ will have to be assessed on a case-by-case basis, involving consideration of the context, the type of data, the purpose of the data and factors such as whether or not the processing:
- could cause damage, loss or distress to individuals;
- could have an actual effect on limiting rights or denying an opportunity;
- could affect an individual’s health, well-being or peace of mind;
- could affect an individual’s financial or economic status or circumstances;
- could lead to discrimination or unfair treatment of individuals;
- involves special categories of data, particularly with regard to children;
- could cause individuals to change their behaviour in a significant way;
- could have unanticipated or unwanted consequences for individuals;
- could create embarrassment or other negative outcomes, including reputational harm; or
- includes the processing of a wide range of personal data.
Where an organisation has several establishments in the EU, the principle is that the main establishment is the place of the central administration of that organisation. However, if another establishment takes the decisions about the purposes and means of the processing of data – and has the power to have such decisions implemented – then that becomes the main establishment. Importantly, it is possible that there is a different supervisory authority competent for distinct processing activities, in case the purposes and means are decided upon by different establishments.
The question of how to determine the location of a controller’s main establishment starts with the question of whether or not the organisation has an EU headquarters:
- If so, what is its role, and are decisions about the purposes and means of the processing taken within this establishment, and does this establishment have the power to implement decisions concerning the processing activity?
- If not, are there other establishments where:
- decisions about business activities that involve data processing are made;
- the power to have decisions implemented effectively lies;
- the director (or directors) with overall management responsibility for the cross-border processing activity is (are) located; or
- the controller or processor is registered as a company, if in a single territory?
Summary and action points
Organisations should first of all determine whether there are cross-border elements to their data processing activities.
When an organisation has establishments in different Member States, it should assess, with respect to any specific processing, whether it is to be considered as ‘cross-border processing’. This will be the case when such processing takes place in the context of the activities of establishments of the organisation located in different Member States. With respect to each case of ‘cross-border processing’, the main establishment should be determined in order to determine the lead supervisory authority, taking into account the factors set out above.
Even when a company only has a single establishment, processing can still be considered as ‘cross-border processing’ when the processing activities substantially affect (or are likely to substantially affect) data subjects in other countries, taking into account the factors set out above.