This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.
The “lead supervisory authority” benefit has been referred to as the “one-stop-shop mechanism.” As might be imagined, both companies and supervisory authorities have a strong interest in understanding how to establish if a company has a “lead” supervisory authority. This month the EDPB issued an opinion intended to guide supervisory authorities in how to decide if a multinational qualifies for a lead supervisory authority. Two key criteria must be met:
- The operations in the EU country in question must be where the company makes decisions about the “purpose and means of processing” personal information.
- That EU operation must have the power to implement those decisions.
The EDPB stated in its opinion that if decisions and power to implement the decisions are “exercised outside of the [European] Union” (emphasis added) then there can be no EU lead supervisory authority (opinion, executive summary). The burden of proof, the EDPB noted, is on the company, which must cooperate with the supervisory authority that is attempting to determine if it should be viewed as the “lead.” While the existence of a regional headquarters in the country in question may suggest that the country is the lead, it is not dispositive evidence. The supervisory authority will still, the EDPB clarified, still need to look at the full evidence.
Putting It Into Practice: This opinion, although reiterating what is already in GDPR itself (Art 4(16)(a)), demonstrates the EDPB’s focus on supporting cooperation and streamlining between EU member state privacy authorities. Multinational companies, especially those with operations outside of the EU, should keep in mind the decision making and implementation criteria outlined in the EDPB’s opinion.