Article 29 Working Party publishes lead supervisory authority guidelines

10 January 2017

Ruth Boardman, Ariane Mole

The Article 29 Working Party adopted guidelines for identifying a controller or processor’s lead supervisory authority and related FAQs on 13 December 2016 (the "Guidelines").

Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the "cross-border processing of personal data" (defined in Article 4(23) GDPR). This is the case where: (i) the processing of personal data takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (ii) the processing of personal data takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

The Guidelines consider what is meant by "substantially affects or is likely to substantially affect data subjects". The A29WP states that this will be considered on a case by case basis, taking into account the context of the processing, the type of data, the purpose of the processing and a range of other factors, including (among other things) whether the processing causes, or is likely to cause, damage, loss or distress to individuals, whether the processing affects, or is likely to affect individuals’ health, well-being or peace of mind and whether the processing creates embarrassment or other negative outcomes, including reputational damage.

The A29WP provides guidance on how to identify the lead authority in three scenarios: (i) where the cross border processing involves a controller; (ii) where the cross border processing involves a controller and a processor; and (iii) where the cross border processing involves a processor.

Where the processing only involves a controller and the controller has a single establishment in the EU, the lead supervisory authority is the supervisory authority of the place of that single establishment. Where an organisation has several establishments in the EU, the lead authority will be the supervisory authority of the country where the place of central administration in the EU is located, unless the decisions on purposes and means of the processing are taken in another establishment in the EU. The A29WP asks organisations to consider if there are other establishments: (i) where decisions about business activities that involve data processing are made; (ii) where the power to have decisions implemented effectively lie; (iii) where director(s) with overall management responsibility for the cross-border processing activity are located; and (iv) where the controller is registered as a company, if in a single territory.

The A29WP recognises that there can be situations where more than one lead authority can be identified, i.e. in cases where a multinational company decides to have separate decision making centres, in different countries, for different processing activities.

The Guidelines state that "the GDPR does not permit 'forum shopping'" – there must be an effective and real exercise of management activity in the member state identified as the organisation's main establishment. Organisations should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented, as they may be asked to evidence their position.

The A29WP emphasises informal cooperation between lead and concerned supervisory authorities to reach a mutually acceptable course of action, noting that the formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

You can find the guidelines here.