Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
WP29 GDPR Guidelines: Lead Supervisory Authorities (One Stop Shop Mechanism)
Article 29 Working Party provides new guidelines with respect to lead supervisory authorities under the GDPR.
The Article 29 Working Party (WP29), an advisory body made up of national data protection officers from across European Union (EU) Member States, has published three sets of guidelines on how the incoming General Data Protection Regulation (GDPR) will work in practice (Guidelines). The Guidelines focus on three separate issues: data protection officers; data portability; and lead supervisory authorities. These three issues will all place new obligations on some organisations under the GDPR which will come into force in May 2018.
You can see our previous blog posts on GDPR developments here.
This blog post will focus on the Guidelines on lead supervisory authorities.
The one stop shop mechanism
The introduction of the one stop shop mechanism under the GDPR’s will allow data controllers or processors which carry out cross-border processing of personal data to appoint one lead supervisory authority (LSA) which will have primary responsibility for the organisation’s processing activity and coordinate investigations where necessary.
Organisations which process personal data with no cross-border element will be subject to their national data protection authority, as is the case under current legislation. However where the organisation processing personal data is established in more than one Member State or the processing of personal data takes place in one Member State but substantially affects data subjects in other Member States, the processing will be considered cross-border and the organisation can benefit from the one stop shop mechanism by designating a LSA.
Identifying a lead supervisory authority- data controllers
For data controllers, the LSA will be in the Member State where the organisation has its main establishment. This can be difficult to determine and is based on where the data controller has its central administration which, for the purposes of the GDPR, is where the decisions about the purposes and means of the processing of personal data are taken.
Data controllers with no central administration
Many data controllers will process data in more than one Member State but have no central administration which takes decisions on processing within the EU. In these circumstances, the Guidelines suggest that the data controller appoints an EU based central administration that has real authority to take decisions about processing and will be liable for the data processing.
If a data controller appoints an EU based central administration in this way, it will be able to benefit from the one stop shop mechanism. Otherwise, the relevant supervisory authorities can choose a LSA for the organisation, which may not be the most favourable to the organisation.
Data controllers with no EU establishment
According to the Guidelines, data controllers without an EU establishment cannot be appointed a LSA and will instead deal with local supervisory authorities in each Member States in which they are active.
Identifying a lead supervisory authority- data processors
Data processors with establishments in more than one Member State may also benefit from the one stop shop mechanism under the GDPR. The processor’s main establishment will be in the place of its central administration, or if it has no EU central administration, the establishment in the EU where the main processing activities of the processor take place.
However in investigations involving both the controller and the processor, the controller’s LSA will be the competent authority and the processor’s relevant authority will participate as necessary.
Supervisory authorities across the EU have taken slightly different approaches to enforcing data protection laws within their national jurisdiction. To this end, the ability for organisations to identify a LSA will be attractive to many organisations seeking certainty over how the GDPR will be enforced.
Organisations with no EU establishment, particularly those which process large volumes of personal data or sensitive personal data, may decide it is worthwhile to create an EU establishment in order to benefit from the one stop shop mechanism. However, the Guidelines are clear that forum shopping will not be permitted, therefore any organisation planning to establish itself in the EU for this reason should carefully ensure that the establishment satisfies the central administration requirements.
This blog post was written by Amelia Day, trainee solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.