In December 2016, the EU’s Article 29 Working Party (A29WP)—a group comprised of EU national data protection authorities (DPAs) that advises the EU Commission on EU data protection law—issued a number of GDPR guidance documents, including explanations for the mandatory DPO role, new individual right to data portability, and how to identify a “lead authority” for the GDPR’s one-stop shop enforcement mechanism.
Why Should You Care?
Organizations that are subject to the GDPR’s broad scope and grappling with how to comply with the regulation finally have some guidance to refer to in implementing the GDPR’s provisions on data portability, the DPO’s role, and identifying the lead supervisory authority.
The Lead Supervisory Authority
As the final part of our series, the Guidelines for identifying the lead supervisory authority cover sections explaining the main considerations for identifying a lead supervisory authority and an annex that contains questions to guide organizations in performing the identification. Identifying a “lead supervisory authority” is only relevant where an organization is carrying out the “cross-border processing of personal data.” The Guidelines explain further what these terms mean:
“Lead supervisory authority” - the authority with the primary responsibility for dealing with a cross-border data processing activity. It is the entity that responds when a data subject makes a complaint about the processing of their personal data. The lead supervisory authority will coordinate any investigation, involving other “concerned” supervisory authorities
“Cross-border processing” is either the: (1) processing of personal data that takes place in multiple establishments located in more than one Member State in the Union, where the organization is established in more than one Member State; or (2) processing of personal data that takes place in a single establishment in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State. Data processing affects someone if it has some form of impact on them. Processing with little or no effect on individuals does not fall within the second part of the definition of “cross-border processing,” but it would fall within the first part of the definition where the processing of personal data takes place in more than one Member States. Supervisory Authorities will interpret “substantially affects” on a case by case basis, taking into account the context of the processing, the type of data, the purpose of the processing, and a list of other factors.
Identifying the lead supervisory authority depends on the data-collecting organization’s “main establishment” or “single establishment” in the EU. For an organization with multiple establishments, its central administration in the Union is the main establishment, unless (1) the decisions on the purposes and means of the processing of personal data are made in another establishment and (2) the latter establishment has the power to have such decisions implemented. In this case, case the establishment having taken such decisions is to be considered to be the main establishment.
Organizations that are in the process of building their GDPR compliance programs should review their programs against the A29WP’s available guidance, and keep track of any future guidance that may follow.
Arent Fox’s Privacy, Cybersecurity & Data Protection group monitors developments in data protection field. If you have any questions, please contact Sarah L. Bruno, Eva J. Pulliam, or the Arent Fox professional who usually handles your matters.