Data protection - Supervisory authorities one-stop-shop: WP29 guidelines
The final draft of the GDPR enables local regulators to deal with local issues which relate only to their territory.
The final draft of the GDPR enables local regulators to deal with local issues which relate only to their territory. Where cross-border processing takes place, a “one-stopshop” mechanism can apply to the extent that the lead authority will involve other “concerned” authorities in GDPR enforcement. “Cross-border processing” means establishments in two or more EU states and the processing is in respect of one establishment in one state, but does (or is likely to) substantially affect data subjects in other EU states.
The Article 29 Working Party (WP29) has published guidance on determining the location of a data controller’s “main establishment” or “single establishment”. Unless another establishment in fact makes the decisions about the purposes and means of processing, the central administration will be the main establishment. If more than one establishment makes its own “autonomous decisions concerning the purposes and means of a specific processing activity”, then the WP29 view is that there can be more than one lead supervisory authority. But the more centralised the decision-making across a multi-national, the more likely it will be to have a lead supervisory authority. It is up to the controller to identify its own supervisory authority (much as this can be open to authority challenge).
The WP29 opinion also identifies border-line cases – eg where none of the establishments in the EU are taking decisions on the processing and there is no main establishment in the EU. This makes it harder for the lead authority to be identified and means the group cannot benefit from the “one-stop-shop” mechanism, unless the organisation designates a particular establishment as its main establishment, and that entity is responsible for the processing decisions.
Why is this important?
Many had hoped that the GDPR would bring about a true “one-stop-shop” mechanism to avoid the current problem of multi-nationals facing different approaches by different regulators in different territories.
While the final position is more muted, clearly there will be benefits in having a lead authority where cross-border processing takes place.
The WP29 opinion helps feed into the decision as to which group entity will be the “main establishment” for a multi-national, and whether it can benefit from the “one-stop-shop” mechanism.
Any practical tips?
As with everything GDPR-related, start planning now! The new (data) world order is just over a year away, and determining which will be your main establishment for data processing activities (and where it will be located) is clearly a critical piece of the wider post-Brexit puzzle.