What is a Lead Supervisory Authority?
A Lead Supervisory Authority (LSA) is essentially the authority that has the lead responsibility for dealing with regulatory matters where there is a cross-border data processing issue, such as a complaint or data breach.
Lead Supervisory Agency
Lead Supervisory Agency
A Lead Supervisory Authority (LSA) is essentially the authority that has the lead responsibility for dealing with regulatory matters where there is a cross-border data processing issue, such as a complaint or data breach.
Article 56 of the GDPR created a “one stop shop” for cross border processing issues so that if there is an investigation just one regulator will be appointed. Other affected EU Member States data protection authorities (DPA) can provide input to the lead regulator, but there is one consolidated finding, and potential fine.
Cross Border processing is where:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State or,
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State (Article 4 (23), GDPR).
If cross border processing occurs within the EEA then identifying a Lead Supervisory Authority (LSA) will become relevant.
Detailing how to identify a LSA, the Article 29 Data Protection Working Party adopted guidelines in 2016 for identifying a controller or processor’s lead supervisory authority. These guidelines were adopted in 2018 by the European Data Protection Board when it took over from the Article 29 Working Party.
“Substantial Affect”
What constitutes a “substantial affect” is not defined in the GDPR but the guidelines states that the ordinary English meaning should be given to these words. The guidelines also state that even if a large number of individuals’ data is being processed, if there is no “substantial affect”, then it will not constitute cross border processing.
The guidelines states that whether there is a substantial affect will be determined on a case by case basis by Supervisory Authorities, taking into account the context, type of data, purpose of the processing and factors including whether the processing:
- causes, or is likely to cause, damage, loss or distress to individuals;
- has, or is likely to have, an actual effect in terms of limiting rights or denying an opportunity;
- affects, or is likely to affect individuals’ health, well-being or peace of mind;
- affects, or is likely to affect, individuals’ financial or economic status or circumstances;
- leaves individuals open to discrimination or unfair treatment;
- involves the analysis of the special categories of personal or other intrusive data, particularly the personal data of children;
- causes, or is likely to cause individuals to change their behaviour in a significant way;
- has unlikely, unanticipated or unwanted consequences for individuals;
- creates embarrassment or other negative outcomes, including reputational damage; or
- involves the processing of a wide range of personal data.
What is a Main Establishment GDPR?
In order to determine the lead supervisory authority the location of the controller’s ‘main establishment’ needs to be identified.
Article 4(16) GDPR details a main establishment as being:
as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
Main Establishment for Controllers
A main establishment for a controller is generally determined where the central administration is, this is because generally that is where it is assumed decisions regarding the purposes and means of processing of personal data are taken. If however an organisation has another location in the EU where decisions on the purposes and means of the processing of personal data are taken, then that location will be considered as the main establishment.
Determining where decisions are taken regarding data was the essence of the case against Google in the 2019 case before the French regulator, Commission Nationale de l’Informatique et des Libertés (CNIL). Google, whose EU headquarters are in Ireland, was found to have breached various requirements of the GDPR, including providing insufficient information to users and failing to obtain valid consent.
The CNIL found that Google’s data processing decisions were taken in the US and not in Ireland, the commission concluded that Google had no “main” EU establishment despite having its EU corporate headquarters in Ireland. This ruling meant that not only could French authorities investigate, and also fine, Google, other supervisory authorities across the EU could also potentially investigate and fine Google.
As a result of the ruling Google moved the management of EU data from the US to Ireland to avert any further investigations. Google Ireland limited became the data controller responsible for EEA and Swiss users’ information. Google stated that they made the changes:
to facilitate engagement with EU data protection authorities via the GDPR’s “One Stop Shop” mechanism, which was created to ensure consistency of regulatory decisions for companies and EU citizens.
Issues related to cross border data transfers are likely to arise after the UK leaves the EU. The ICO has updated their guidance on cross-border processing and the “one stop shop” to reflect issues that may arise post Brexit. Business that are headquartered in the UK, but that process data in the EU may need to deal with ICO in the UK, but also their lead EU supervisory body. Where there is no lead supervisory body – because the organisation has no establishment in the EU but it is processing date likely to substantially affect individuals in one or more EEA states, then that organisation may need to deal with a multiplicity of supervisory bodies.
It is therefore essential for multinational companies to identify precisely where the decisions on the purpose and means of processing are taken, and not to simply assume it is where their corporate headquarters are based.
How to Identify the Main Establishment where the controller’s main Establishment is not the place of its Central administration in the EU
Recital 36 to the GDPR sets out details for identifying the main establishment where the central administration criteria does not apply. It states that the “main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.” It states that processing of personal data does not have necessarily have to be conducted at that location, also the fact that there is a “presence and use of technical means and technologies for processing personal data” at the location does not in itself provide a determining criteria.
The data Controller itself determines where its main establishment is, and it can seek guidance from supervisory authorities to avoid a negative finding subsequently. The main establishment will be determined by objective factors and evidence, and so it is not possible for a Controller to forum shop for a supervisory body that it perceives as being favourable or lenient.
The Article 29 Working Group Guidance indicated the following, non-exhaustive, factors which might help determine where the main location is:
Where are decisions about the purposes and means of the processing given final ‘sign off’?
Where are decisions about business activities that involve data processing made?
Where does the power to have decisions implemented effectively lie?
Where is the Director (or Directors) with overall management responsibility for the
cross border processing located?
Where is the controller or processor registered as a company, if in a single territory?
Group of Undertakings
Where there is a clear operational headquarters within a group of EU undertakings, that is likely to be the main establishment, principally as it is probably the place of central administration – if however decisions about the purposes and means of processing are taken by another part of the group, then that will likely be the main establishment. Recital 36 states the flowing with respect to group undertakings:
Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.
In the case of joint data controllers, namely where two or more controllers established in the EU jointly determine the purposes and means of processing, the Article 29 Working Group Guidance states that joint controllers should “designate which establishment of the joint controllers will have the power to implement decisions about the processing with respect to all joint controllers.” This establishment will then be the main establishment. Joint controllers will each be held liable for the entire damage caused by any data processing (Article 82(4)).
Organisations Based Outside the EU
Where an organisation is based outside the EU, but is processing data inside the EU and has no significant establishment within a member state, unless they specifically designate, and psychically establish, an establishment that implements decisions about processing activity and takes liability for that processing, then they will not be able to benefit from the One Stop Shop procedure, and they will instead have to deal with each supervisory authority where they process data.
Processors
The GDPR also provides the one-stop-shop mechanism for data processors.
The processor’s main establishment will be the central administration of the processor in the EU. Where there is no central administration in the EU, the main establishment will be where the main processing activities take place in the EU.
In cases involving both the controller and the processor, the lead supervisory authority will be the lead supervisory authority for the controller. The supervisory authority of the processor will be a ‘supervisory authority concerned’ and will participate in any investigation.
Where a processor is providing services to multiple EU based controllers, they will the have to deal with multiple supervisory authorities.
Contact Us
Related Articles
Related
Deletion of Absolute & Conditional Discharges
What can you do about an absolute discharge once you receive one, and what are the implications of an absolute discharge and also a conditional discharge? Is it possible to have an absolute or a conditional discharge deleted from the PNC or is it only possible to...
What is the meaning of processing of personal data?
Processing therefore is an extremely broad concept and covers pretty much anything that can be done to personal dataProcessing of personal dataProcessing of personal data Article 4(2) of the GDPR defines data processing as: any operation or set of operations which is...
What is a relevant filing system?
Data protection regulation does not just apply to electronically processes personal data, but is applies in certain circumstances to paper based, manual, filing systems - previously know as "relevant filing systems" under the Data Protection Act 1998.Filing...
Deletion of Absolute & Conditional Discharges
What can you do about an absolute discharge once you receive one, and what are the implications of an absolute discharge and also a conditional discharge? Is it possible to have an absolute or a conditional discharge deleted from the PNC or is it only possible to...
What is the meaning of processing of personal data?
Processing therefore is an extremely broad concept and covers pretty much anything that can be done to personal dataProcessing of personal dataProcessing of personal data Article 4(2) of the GDPR defines data processing as: any operation or set of operations which is...
What is a relevant filing system?
Data protection regulation does not just apply to electronically processes personal data, but is applies in certain circumstances to paper based, manual, filing systems - previously know as "relevant filing systems" under the Data Protection Act 1998.Filing...
What is the GDPR?
You would be forgiven for thinking that data protection regulation only started in 2018 with the introduction of the EU's General Data Protection Regulation (GDPR).Data Protection Law You would be forgiven for thinking that data protection regulation only started in...
Head Office
Legisia Legal Services
The North Colchester Business Centre
340 The Crescent
Colchester
Essex, CO4 9AD
Cases are conducted nationwide & internationally
Additional consultation Address (Not Postal)
50 Liverpool Street
London EC2M 7PY