For companies active across multiple countries in the EU, the so called “one stop shop” principle in the GDPR is potentially helpful in providing focus and clarity on which data protection regulator would be involved in any breach notification, investigatory or enforcement activity. Consideration of the lead supervisory authority can also guide a company to decide which regulator it should build a relationship with and whose guidance it would be most valuable to be familiar with.
While not top of the priority list for many companies, if there is cross border processing then a business must identify their lead supervisory authority. In addition, a lot of businesses would benefit from spending some time considering which regulator would take the lead should there be any GDPR compliance issues so that the issue does not need to be assessed at short notice if action needs to be taken urgently.
What is the lead supervisory authority “one stop shop” principle?
A supervisory authority is an independent public authority in each European Union member state, tasked with protecting the fundamental rights and freedoms of individuals in relation to any processing of their personal data and with monitoring and ensuring a consistent application of applicable data protection laws in the country in which they are situated.
Both controllers and processors involved in cross-border processing of personal data may be able to benefit from the ‘one stop shop’ principle under the GDPR by identifying a ‘lead supervisory authority’.
A lead supervisory authority has primary responsibility for co-ordinating investigations involving multiple member states, meaning businesses only have to deal with one lead regulator.
The lead supervisory authority mechanism is only applicable in the context of a company’s cross-border processing activities. Consequently, companies must assess whether they meet one of the following criteria where either:
- processing takes place in the context of the activities of businesses or organisations in more than one member state where the business or organisation is established in more than one member state; or
- processing takes place in the context of the activities of a single establishment but substantially affects or is likely to substantially affect individuals across more than one member state.
How to identify a lead supervisory authority
A business must first identify the location of its main establishment within the EU.
For companies with only a single establishment, but whose processing substantially affects individuals across multiple member states, the location of the single establishment will be the lead authority. There is more specific guidance available on the meaning of “substantially affects”.
For companies with establishments across a number of member states, the question of the location of its main establishment may be much more difficult to answer.
Where multiple EU establishments are concerned, companies must consider the location of central administration within the EU. Logically, this is likely to be a European headquarters, should one exist. However, companies should equally consider where key decisions about the purposes and means of cross-border processing take place across their EU establishments. If the location of such decision-making differs from that of the company’s central administration within the EU then the decision-making establishment will be the main establishment of the business. Other factors to consider include whether a particular establishment has the power to have decisions implemented, and where any directors with overall management responsibility for cross-border processing are located.
In reality, some companies will not have an identity that carries out its central administration function within the EU nor any EU establishment taking decisions regarding the relevant processing. For businesses primarily established outside of the EU, the position becomes more complex . In such circumstances, companies should consider designating the EU establishment to implement decisions and ensure it can absorb liability for any processing activities. However, this may not always be practical for certain companies.
What steps should companies be taking?
Companies should decide whether they are engaged in cross-border data processing in the context of the activities of their EU establishments. They should consider the roles of the entities in Europe and determine which is the main establishment based on the defined terms and the regulatory guidance issued (see below for links to this).
Some businesses may wish to nominate a lead supervisory authority to reflect a preferred enforcement forum strategy, and therefore consideration should be given to the way in which it locates and structures its data processing decision-makers.
The location of a data protection officer, if relevant, or any other managers involved in data protection compliance are likely to be important factors in any determination of main establishment. Companies should take care to ensure that roles and responsibilities of any data protection team are clearly defined and documented and ensure the maintenance of detailed and effective records of data processing activities which identify key decision-makers.
Should companies reorganise their European activities to make it easier to identify a lead supervisory authority?
Many companies might consider restructuring their European operations and we are sometimes asked if companies should do this so that they are more easily able to identify a lead supervisory authority. For some high profile and consumer facing organisations who may be more exposed to regulatory enforcement risk, this may be worthwhile. However, there are other wider implications that need to be kept in mind and some of these issues are listed below.
Firstly, it takes time and cost to restructure, especially if this process would involve moving employees, infrastructure and business functions to different countries and changing office requirements (reducing or increasing office space). The short term cost of restructuring may not be outweighed by the potential risk and unknown cost of future regulatory activity.
Secondly, restructuring may have tax or other legal consequences, for example, on permanent establishment issues, intra-group services agreements, cost plus arrangements and other local laws.
It should also be borne in mind that there is no guarantee that an EU regulator would agree with a company’s interpretation of who should be its lead supervisory authority and so any restructuring may ultimately have little impact. In the event of regulator involvement, the relevant supervisory authorities may themselves determine the appropriate lead supervisory authority . In addition data subjects are still free to lodge complaints with the regulatory authority where they reside, which may not be the lead supervisory authority.
Finally, for companies which have a UK element to their processing, Brexit considerations may also be a factor, noting that (absent special arrangements) the UK is likely to be viewed as a third country for these purposes after Brexit.
Further guidance on this issue
The European Data Protection Board, the European body which contributes to the consistent application of data protection rules across Europe, has published guidance on the lead supervisory authority mechanism as well as a short FAQ in order to provide further information on the topic.