Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority. This appointed Supervisory Authority will act as their main point of contact.
Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.
Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.
When do the one-stop-shop provisions apply?
According to the GDPR, the one-stop-shop provisions apply only:
- when a controller and/or a processor carry out a cross-border processing activity within the European Union (i.e. a processing activity impacting more than one Member States); and
- when its main establishment in relation to this processing activity is located in the EU.
Public authorities are excluded from the scope of the one-stop-shop provisions whether or not their processing activities meet the above conditions.
What is a “cross-border processing”?
According to GDPR, a cross border processing is either :
- A processing of personal data which takes place in the context of the activities of a controller or a processor’s establishments, located in more than one Member States; OR
- A processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union but which substantially affect or is likely to substantially affect data subjects in more than one Member States.
In practice, a processing activity will qualify as a “cross boarder processing” if it concerns:
- at least two of an organisation’s establishments which are located in two different Member states;
- one EU-based establishment of an organisation provided the processing activity targets individuals in more than one Member State.
It will not qualify as a “cross boarder processing” , if it concerns establishments located outside of the European Union (regardless of the location of the targeted individuals).
What is the main establishment?
Where an organisation or a group of undertakings carries out cross-border processing activities, it must appoint a lead supervisory authority in the country of its main establishment or its single establishment (i.e. the main establishment must be in the EU).
An establishment can be either a branch, a subsidiary, or even an office as long it is sufficiently stable. It will qualify as the main establishment if it takes most decisions about the cross-border processing activities.
As a result, are automatically excluded from the benefits of the one-stop-shop provisions, controllers, or processors not established within the Union or, whose main establishment is not in the EU.
What is the role of the Lead Supervisory Authority?
The Lead Supervisory Authority will act as the only organisation’s contact for any questions, complaints, investigations, or other issues regarding the cross-border processing activities only.
However, the other supervisory authorities remain competent for dealing with complaints or infringement of the regulation if they relate only to establishments or individuals located in its Member State.
What to do if both controllers and processors have a lead supervisory authority?
Where both the controller and the processor have appointed a lead supervisory authority, the controller’s lead supervisory authority takes the lead whilst, the processor’s lead supervisory authority only plays the role of a supervisory authority.
If you need help to work out whether your organisation may benefit from the one-stop-shop provisions, you can contact Arnaud Blanc.