On April 17, 2023, the European Data Protection Board (“EDPB”) adopted a final version of the Guidelines for identifying a controller or processor’s lead supervisory authority (“New Guidelines”). This document is an update to the Article 29 Working Party Guidelines (“Old Guidelines”) which were adopted in April 2017 and subsequently endorsed by the EDPB.
There was a need for clarification regarding the notion of main establishment in the context of joint controllership, taking into account the EDPB Guidelines 07/2020 on the concepts of controllers and processor under the GDPR.
Background – Lead Supervisory Authority
The designation of a lead supervisory authority is a concept commonly referred to as the one stop shop principle. Essentially, this means that a company which has multiple operations in the EU can choose to deal with one supervisory authority, instead of having to deal with a supervisory authority in each member state of operation.
The GDPR provides that the supervisory authority of the main establishment or the single establishment of a company is its lead supervisory authority. To qualify as the “main establishment” in a member state, there has to be an effective and real exercise of management activity or decision-making over the processing of personal data that takes place there.
Once appointed, the lead supervisory authority becomes the authority with primary responsibility (i.e. the sole point of contact) for dealing with a company’s cross-border data processing activity, such as when an individual brings a complaint about the processing of their personal data or for the reporting of data breaches. The lead supervisory authority will also coordinate any investigation involving other concerned supervisory authorities.
The change – Joint Controllers
The GDPR makes it clear that in joint controllership situations, controllers are required to determine their respective responsibilities for GDPR compliance. Essentially, joint controllers need to decide between themselves who will be responsible for specific tasks to ensure the data processing is GDPR compliant. Supervisory authorities are not bound by the terms of the joint controller arrangement.
In the Old Guidelines, the authorities were of the view that joint controllers should designate a common main establishment, including a lead supervisory authority. Now, the EDPB has clarified that the notion of main establishments should only apply to a single controller, not joint controllers. Any main establishment (and therefore the lead supervisory authority) can only be designated individually for each joint controller. In other words, the main establishment for one joint controller cannot be considered the main establishment for all joint controllers.
Takeaways
The EDPB’s updates to the Old Guidelines are minor and only reverse the point on the application of the one stop shop principle to joint controllers.
However, in light of the New Guidelines, companies who are joint controllers need to take into account the updated guidance. Specifically, joint controllers should review any joint controller arrangements, data protection privacy policies, and other relevant data protection information to establish whether they are compliant with the New Guidelines. If not, then companies will need to reassess their designation of a lead supervisory authority and update their documentation accordingly.
The post New EDPB Guidelines on Designation of a Lead Supervisory Authority appeared first on Data, Privacy & Cybersecurity Insights.