Under the General Data Protection Regulation, companies carrying out a « cross border data processing » must appoint a Lead Data Protection Authority, which will be acting as their main point of contact.
Though initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.
Indeed, these provisions only apply to cross border processing and not to the organisation’s whole processing activities, companies whose main establishment is outside of the EU may not benefit from these provisions, and it entails a formal appointment of the Lead Auhtority where necessary.
When do one-stop-shop provisions apply?
In theory, the one-stop-shop provisions apply only when a controller and/or a processor carry out a cross border processing activity within the European Union (i.e. a processing activity impacting more than one Member States).
What is cross border processing?
According to GDPR, a cross border processing is either :
- A processing of personal data which takes place in the context of the activities of a controller or a processor’s establishments, located in more than one Member States; OR
- A processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union but which substantially affect or is likely to substantially affect data subjects in more than one Member States.
In practice, if an organisation:
- does not have any establishment within the European Union, none of its processing activities may qualify as cross border processing;
- has establishments in more than one Member States and, carry out a data processing activity necessary to each establishment’s activities, it is a cross border processing;
- has only one establishment in the Union but it carries out data processing activities targetting individuals in more than one Member States, these processing activities qualified as cross border processing.
(exception: public authorities are excluded from the scope of the one-stop-shop provisions)
What should an organisation do when it carries out cross border processing?
Where an organisation or a group of undertaking carries out a cross-border processing, it must appoint a lead supervisory authority in the country of its main establishment or its single establishment.
An establishement can be either a branch, a subsidiary or even an office as long it is sufficently stable. if it takes most decisions about the cross-border processing activities, it may qualify as main establishment.
As a result, are automatically excluded from the benefits of the one-stop-shop provisions, controllers or processors not established within the Union or, whose main establishment is not in the EU.
What is the role of the Lead Supervisory Authority?
The Lead Supervisory Authority will act as the only organisation’s contact for any questions, complaints, investigations or other issues regarding the cross-border processing activities only.
However, the other supervisory authorities remain competent for dealing with complaints or infringement of the regulation if they relate only to establishments or individuals located only in its Member State.
What to do if both controllers and processors have a lead supervisory authority?
Where both of the controller and the processor have appointed a lead supervisory authority, the controller’s lead supervisory authority takes the lead whilst, the processor’s lead supervisory authority only plays the role of a supervisory authority.