WP29 publishes revised guidelines on identifying a data controller’s lead supervisory authority

download (6)In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR).

In that occasion, WP29 approved the Revised Guidelines on The Lead Supervisory Authority, wp244rev.01 (Revised Guidelines), which contain several differences compared to the Guidelines on identifying a data controller’s lead supervisory authority (Guidelines) previously published.

The Revised Guidelines are relevant to multi-nationals operating across Europe. The Guidelines apply where a controller or processor is carrying out “cross-border processing” of personal data.

The GDPR defines ‘cross-border processing’ as either the:

  • processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
  • processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

For example, if an organization has establishments in France and Romania and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.

Alternatively, the organization may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect – data subjects in France and Romania then this will also constitute crossborder processing.

In these cases, the lead supervisory authority is the main data protection regulator that the organization deals with; according the one-stop-shop principle introduced by the GDPR.

Determining the location of the controller’s “main establishment” allows to identify the lead supervisory authority.

Below some of the main differences between the Revised Guidelines on The Lead Supervisory Authority, wp244rev.01 and the Guidelines on identifying a data controller’s lead supervisory authority.

Processing implementation. The approach implied in the GDPR is that the central administration in the EU is the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented.

Also joint controllers, should designate (among the establishments where decisions are taken) which establishment will have the power to implement decisions about the processing with respect to all joint controllers – and act as the main establishment.

Ultimate definition of lead authority by concerned DPAs. The GDPR does not permit ‘forum shopping’. If a company claims to have its main establishment in one Member State, but no effective and real exercise of management activity or  decision making over the processing of personal data takes place there, the relevant supervisory authorities (or ultimately EDPB) will decide which supervisory authority is the ‘lead’, using objective criteria and looking at the evidence. According to the Revised Guidelines, the lead supervisory authority can rebut the controller’s analysis. The denial shall be based on an objective examination of the relevant facts. The lead supervisory authority can request further information if it deems it necessary.

Multiple DPAs for processors. The GDPR also offers the one-stop-shop system for the benefit of data processors that are subject to GDPR and have establishments in more than one Member State. The processor’s main establishment will be the place of the central administration of the processor in the EU or, if there is no central administration in the EU, the establishment in the EU where the main processing activities (of the processor) take place. However, according to Whereas 36, GDPR, in cases involving both controller and processor, the competent lead supervisory authority should be the lead supervisory authority for the controller.

A processor such as, for example, a large cloud-service provider, may provide services to multiple controllers located in different Member States. In such cases, the lead supervisory authority will be the supervisory authority that is competent to act as lead for the controller. The Revised Guidelines highlight that, in effect, this means a processor may have to deal with multiple supervisory authorities.

Remember that this rule will only apply where the controller is established in the EU. In cases when controllers are subject to the GDPR on the basis of Article 3(2), they will not be subject to the one-stop-shop mechanism.

Annexes. Helpfully, the Revised Guidelines include an updated Annex providing a guide for selecting a lead supervisory data authority.