Identifying the Lead Supervisory Authority: an easy task?

On the 13th of December, the Article 29 Working Party issued its guidelines for identifying a controller’s or processor’s lead supervisory authority (LSA). The aim is to assist organizations in determining who is their LSA when carrying out cross-border processing activities. This relates to the one-stop-shop principle intended to simplify the way in which organizations operating in several European countries interact with the European supervisory authorities. Correctly identifying the LSA is important as it determines with which authority an organization will have to deal regarding many of the GDPR compliance requirements such as registering a data protection officer; notifying a risky processing activity or notifying a data security breach.

The GDPR stipulates that the supervision of cross-border processing should be led by only one supervisory authority within the EU. The opinion defines the elements that need to be considered when identifying the LSA which revolve around two main questions:

• When does cross-border processing take place?
• What is the main establishment of the controller?

Cross-border processing will occur in two situations:

1. Processing of personal data takes place in the context of activities of establishments in more than one Member State in the Union.

For example, when an organization has establishments in Germany and Belgium and the processing of personal data takes place in the context of their activities, there will be cross-border processing.

2. Processing of personal data takes place in the context of the activities of a single establishment in the Union but substantially affects or is likely to substantially affect data subjects in Multiple Member States.

Suppose that the processing activity is only carried out in the context of its establishment in Germany, but substantially affects (or is likely to affect) data subjects in Germany and Belgium, this will also be considered cross-border processing.

Identifying the LSA depends on determining the controller’s main establishment’ or ‘single establishment’ in the EU. This main establishment will generally be the place of central administration, which is the place where decisions about the purposes and means of the personal data processing are taken.

Where the main establishment or place of central administration may be evident in many cases, in others it can prove difficult to determine. The WP29 offers the following guidance, based on four distinctive situations:

1. Multiple decision centres in different countries for different processing activities, for example in the context of an international bank. The bank may have its headquarters in Frankfurt, from where all its banking processing activities are organised. The insurance department, however, is located in Vienna. This means there will be two supervisory authorities, one in Germany for processing for banking purposes and one in Austria for processing for insurance purposes.
2. Multiple decision centres in different countries but for the same processing activities. The Article 29 Working Party stipulates that the organization itself can decide which supervisory authority will be their LSA. Keep in mind that the accountability principle also applies when choosing your LSA: the LSA can ask for documentation showing that the place of central administration is effectively in the country of the LSA, or other factors that were considered to chose a main establishment.
3. Where the main establishment is not the place of central administration in the EU but the organization has an establishment in the EU. In these cases, the solution will be the same as discussed in point two.
4. Companies without any establishment in the EU who have appointed a mere representative. Such organizations will not be able to rely on the one-stop-shop mechanism and will therefore have to deal with the local supervisory authorities in every Member State where they are active through their local representative in the EU.

A very important last remark: the criteria for identifying the LSA of processors will be the same as those for controllers. However, in situations involving a controller as well as a processor, the competent LSA should be the authority for the controller. The identified supervisory authority of the processor will, in such a case, become a “supervisory authority concerned” which will cooperate with the LSA.

Link to the full WP29 guidance on the lead supervisory authority can be found here.

This article was authored by Melissa Jansen, associate consultant and junior DPO at Cranium.