EDPB Guidelines on Identifying Lead Supervisory Authority

The European Union’s (EU) General Data Protection Regulation (GDPR) is considered one of the most comprehensive data protection laws to have been enacted. The GDPR, amongst other things, elaborates on the rights of European residents with respect to their personal data, the necessary obligations of all organizations processing the personal data of EU residents, and the regulatory bodies that are involved in enforcing the regulation.

To help achieve consistent application of data protection rules across the EU and promote cooperation between the EU’s data protection authorities, the European Data Protection Board (EDPB) provides guidelines on different questions of interpretation arising under the GDPR.

One such question is addressed by the EDPB's guidelines on identifying the lead supervisory authority for both data controllers and processors, as well as other special arrangements such as joint controllers. Each EU member state is required to have one or more supervisory authorities under the GDPR. The supervisory authority (data protection authority or regulatory body) is responsible for monitoring the application of the GDPR within that member state.

This is to protect the fundamental rights and freedoms of data subjects and facilitate the free flow of personal data within the EU, as well as the supervisory authorities to ensure compliance by imposing penalties on companies for violations of the provisions of the GDPR.

These Guidelines clarify that joint controllers cannot have more than one establishment in the EU and, therefore, cannot agree to have more than one supervisory authority. This article provides an overview of the EDPB Guidelines that will help data controllers and processors to identify the lead supervisory authority for the purposes of compliance with the GDPR.

Key Concepts to Know

Here are some key concepts to know.

Processing of Personal Data in more than one EU Member State

Identifying a lead supervisory authority is relevant or necessary when the controller or processor in question is carrying out international or cross-border processing of personal data. This is the case if an organization has establishments in two or more EU member states and data processing takes place in the context of their activities or if the organization’s data processing activities substantially affect data subjects in more than one EU member state, such data processing will be deemed as cross-border data processing.

It is important to note here that the second tier of the definition is not limited to an actual substantial effect, but also includes data processing activities that are likely to have a substantial effect on data subjects. In this respect, ‘likely to’ does not mean that there is a remote possibility of a substantial effect. Rather, the substantial effect should be more likely to occur than not.

The EDPB recommends the criteria that should be taken into consideration to determine whether or not a data processing activity substantially affects data subjects. These factors include the following:

• The context and purpose of the processing,
• The amount and type of personal data involved,
• Whether the processing is likely to have an actual effect in terms of limiting rights or denying an opportunity,
• Whether the processing is likely to affect individuals’ financial or economic status or circumstances,
• Whether the processing leaves individuals open to discrimination or unfair treatment,
• Whether the processing relates to sensitive personal data,
• Whether the processing relates to minors’ personal data,
• Whether the processing causes or is likely to cause individuals to change their behavior in a significant way,
• Whether the processing has unlikely, unanticipated or unwanted consequences for individuals,
• Whether the processing creates embarrassment or other negative outcomes, including reputation damage,
• The actual or likely impacts of the processing, such as the damage, loss, or distress caused to individuals or consequences relating to an individual’s health, well-being, or peace of mind, or
• Whether the processing involves the processing of a wide range of personal data.

It depends on a case-by-case basis whether a particular data processing substantially affects data subjects in more than one EU member state. However, if it is determined that the processing activities of an organization substantially affect or are likely to substantially affect data subjects in more than one EU member state after taking into consideration the aforementioned factors, it is essential for the organization to identify its lead supervisory authority for compliance purposes.

Lead Supervisory Authority

In simple terms, a lead supervisory authority is a body primarily responsible for regulating all cross-border data processing activities. This includes being the first point of contact for any data subject looking to launch a complaint related to the processing of their personal data. Moreover, the lead supervisory authority is also responsible for coordinating any investigations that may involve other concerned supervisory authorities. The essence of the lead supervisory authority is that the supervision of cross-border processing should be led by only one supervisory authority in the EU.

As far as identifying the lead supervisory authority is concerned, it primarily depends on the “main establishment” of the controller or processor.

Main Establishment

As per Article 4(16) of the GDPR, "main establishment" means,

• “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
• as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;”

In simpler terms, the main establishment refers to the central administration of the organization in question within the European Economic Area (EEA), where all decision-making related to the means and purposes of data processing is carried out.

It is important to note that if an organization does not have an establishment in the EEA, the mere presence of its representative in an EU member state does not trigger the one-stop-shop principle in relation to identifying the lead supervisory authority. Therefore, such organizations must deal with local supervisory authorities in every member state they are active in through their local representative.

In its revised Breach notification guidelines, the EDPB has clarified that non-EU establishments subject to the GDPR, regardless of having a representative, need to notify personal data breaches to all supervisory authorities concerned for the EU member states where the affected data subjects reside.

Necessary Steps to Undertake to Identify the Lead Supervisory Authority

It is necessary to establish an organization’s main establishment in order to identify its lead supervisory authority. The lead supervisory authority for an organization is the supervisory authority of the EU member state, where its main establishment is located. Having one supervisory authority allows centralized enforcement of the GDPR.

It is in the interests of controllers and processors to correctly identify their main establishment so they have clarity on which EU member state’s supervisory authority they have to deal with in respect of their compliance duties under the GDPR. The determination of controllers or processors regarding their main establishment and the lead supervisory authority can be challenged by the respective concerned supervisory authority afterward.

Identifying Main Establishment

In order to establish where the main establishment of a controller is, it is important to identify the controller’s central administration in the EEA, if any. The main establishment of a controller should be the place of its central administration unless the decisions about the purposes and means of processing data are taken in another establishment of the controller in the EU, in which case, such other establishment would be considered the main establishment.

However, there may also be cases where various regional establishments make autonomous decisions related to the data processing operations of an organization, i.e., in the case of an organization with separate decision-making centers across different countries. In such instances, multiple lead supervisory authorities can be identified.

Recital 36 of the GDPR helps clarify the main factor in determining the main establishment of a controller if the central administration does not apply. This involves identifying the place where management activities in relation to determining the purposes and means of processing effectively occur. Recital 36 also clarifies that the presence and use of technical means or technologies for data processing operations do not constitute the criteria for determining a controller’s main establishment.

The EDPB recommends the following non-exhaustive criteria to determine the location of a controller’s main establishment where it is not the location of its central administration in the EEA.

• Where are decisions about the purposes and means of the processing given the final 'sign off'?
• Where are the decisions about business activities that involve data processing made?
• Where does the power to have decisions implemented effectively lie?
• Where is the Director (or Directors) with overall management responsibility for the cross-border processing located?
• Where is the controller or processor registered as a company, if in a single territory?

Groups of Undertakings

Where the processing of data is carried out by a group of undertakings that has its headquarters in the EEA, such establishment of the undertaking, which has overall control, is presumed to be the decision-making center, and thus, the main establishment for the group, except for where decisions about the purposes and means of processing are taken by another establishment. Hence, the headquarters of an organization, located within the EEA, is likely to be its main establishment, and the lead supervisory authority will be the one in the country of its location.

Joint Controllers

Things are a bit more complicated when it comes to organizations acting as ‘Joint Controllers’ since the GDPR does not explicitly deal with the issue of designating a lead supervisory authority where two or more controllers established in the EEA jointly determine the purposes and means of processing.

The EDPB, in its guidelines, requires joint controllers to specify their respective responsibilities. However, the supervisory bodies are not bound by the terms agreed between the joint controllers.

Since the concept of the main establishment is linked to a single controller under the GDPR, the main establishment of one organization cannot be considered the main establishment of the joint controllers. Hence, joint controllers cannot designate a common main establishment for both joint controllers.

Borderline Cases

1. There will be cases where identifying the main establishment or place of primary decision-making in relation to data processing operations will be difficult. For example, it is difficult to identify the main establishment where the controller is established in several EU member states, and there is no central administration in the EEA, as well as no EEA establishment is taking decisions in relation to data processing. For such instances, the EDPB recommends that the organization must designate a main establishment as the lead authority to implement decisions related to data processing. Such an establishment should assume any liabilities resulting from these decisions and must have sufficient assets.
2. The GDPR prohibits "forum shopping," i.e., an organization claiming to have its main establishment in one member state but no effective and real exercise of management activity or decision-making over the processing of personal data that takes place there. In such an instance, the relevant supervisory authorities (or, ultimately, the EDPB) will decide which authority is the "lead" while relying on objective criteria and evidence.The burden of proof falls on the organization in question to demonstrate to the relevant supervisory authorities where the decision-making in relation to data processing operations takes place and where lies the power to implement such decisions. Effective records of data processing activities would be helpful in such cases to determine the lead supervisory authority.
3. As far as data processors are concerned, Article 4(16)(b) of the GDPR states that the processor's main establishment is its place of central administration within the EU. If there is no central administration within the EU, the processor’s main establishment will be the place where its primary data processing activities occur.
4. In cases involving both the data processor and controller, where the controller is established in the EEA, the competent lead supervisory authority for the controller should be the supervisory authority of the EU member state within which the controller has its main establishment; however, the supervisory authority of the processor should be the ‘supervisory authority concerned.’ According to Article 4(22) of the GDPR, ‘supervisory authority concerned’ means “a supervisory authority which is concerned by the processing of personal data because:
   • the controller or processor is established on the territory of the Member State of that supervisory authority;
   • data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
   • a complaint has been lodged with that supervisory authority.”
5. In cases where the controller or processor is not established within the EU, but their processing activities relate to the offering of goods or services to such data subjects in the EU or the monitoring of their behavior as far as their behavior takes place within the EU and the GDPR applies to them, such controllers or processors will not be subject to the foregoing one-stop-shop mechanism. For example, if a processor is providing services to multiple controllers located in different EU member states, the lead supervisory authority will be the supervisory authority that is competent to act as the lead for the controller. Therefore, such a processor may have to deal with multiple supervisory authorities.

How Can Securiti Help

Identifying the lead supervisory authority is just the first step toward achieving GDPR compliance. As mentioned before, the GDPR remains one of the most comprehensive data protection regulations. The obligations it places on organizations require strict adherence to certain principles and a radical overhaul of data processing practices in some cases.

However, that is not to say that GDPR compliance needs to be incredibly complicated as well, provided an organization opts for the right tools.

This is where Securiti can help.

Securiti has made a name for itself as a pioneer in providing data compliance and governance-related enterprise solutions. From cookie management and DSR automation to breach management and vendor management, Securiti has a range of solutions to help your organization achieve GDPR compliance.

Request a demo today and learn more about how Securiti can help you comply with the GDPR as well as any other major data protection legislation.