Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR). This is part three of a three-part Alston & Bird series evaluating WP29’s positions, and relates to the “One Stop Shop” mechanism which aims at simplifying the way companies with operations in multiple EU countries interact with the EU supervisory authorities (“SAs”). Part 1 deals with Data Protection Officer Obligations, under the GDPR, while part 2 analyzes guidance on the Right to Data Portability.
The general rule under the GDPR is that only one supervisory authority (the “Lead SA”) will supervise cross-border processing activities or activities involving citizens of more than one EU country. The guidance paper of WP29 and the corresponding FAQs clarify the criteria companies need to take into account to identify their Lead SA.
Cross-Border Processing – The One Stop Shop mechanism only applies where a processor or controller carries out “cross-border” processing of personal data, as opposed to merely local data processing, which WP29 clarifies to mean either of the following:
(i) Processing takes place in the context of the activities of establishments in more than one Member State – e.g. where a company has establishments in France and Romania, and the processing takes place in the context of both establishments’ activities; or
(ii) Processing takes place in the context of the activities of a single EU establishment, but it “substantially affects” or is likely to affect individuals in more than one Member State – e.g. processing activity is carried out in France but the activity affects or may affect individuals in France and Romania. To determine whether a processing activity may “substantially affect” individuals in multiple EU Member States, companies should determine whether the processing has or may have the following impact on individuals:
- cause them damage, loss or distress;
- limit their rights and opportunities;
- affect their health, well-being or peace of mind;
- affect their financial or economic status or circumstances;
- leave them open to discrimination or unfair treatment;
- involve the analysis of special categories of data or children’s data;
- cause them to change their behavior in a significant way;
- create unlikely, unanticipated or unwanted consequences for them;
- create embarrassment or other negative outcomes including reputational damage, or;
- involve the processing of a “wide range” of personal data.
Main Establishment – The Lead SA is the SA of the country where the “main establishment” of an organization is based. WP29 clarifies that companies should determine their main establishment and thus their Lead SA as follows:
(i) if a company has a single EU establishment, that is its main establishment (presuming the company is engaged in “cross-border” processing);
(ii) if an organization has several establishments in the EU, the main establishment is its “central administration” (i.e. its EU headquarters); or
(iii) if a company albeit having EU headquarters has one (or more) EU establishment(s) making decisions about the purposes and means of cross-border processing, it is considered the main establishment for purposes of Lead SA designation. In this scenario, the Lead SA is the SA for the particular cross-border processing activities that are managed by the establishment within its jurisdiction. This can lead to multiple Lead SAs (e.g. if a company’s analytics decisions are made in Hamburg, while marketing is decided in Paris), and WP29 invites companies to organize their decision-making powers in a single location to avoid or limit a multiplication of Lead SAs. The below provides some examples which companies may use to identify which of multiple establishments should be considered a “main establishment” for purposes of designating a Lead SA:
- Final sign off is given about the purposes and means of the cross-border processing activity;
- The director(s) with management responsibility is/are located for the cross-border processing activity;
- Business decisions involving data processing are taken;
- The power to implement the decisions lies;
- A company has registered its processing activities if in a single territory;
- Any other factors apply, which companies consider relevant in the context of the specific activity they carry out.
Difficult Cases- Where an organization does not have a central administration in the EU and none of its EU establishments make decisions about cross-border processing (i.e. decisions are made exclusively in the US), companies are advised to designate an EU establishment that will act as their main establishment. This establishment must have the authority to “implement decisions” regarding cross-border processing and to “take liability” – which WP29 indicates means the designated establishment must have “sufficient assets”. Whereas companies are invited to make their own determination, it is important to keep in mind that companies’ main-establishment designations may be questioned by SAs at a later stage. It is therefore important that companies can demonstrate effective and real exercise of management activity or authority over personal data. The WP29 recommends that companies consult with SAs if they are unsure about the determination of their Lead SA.
Controllers vs. Processors – The rules for determining the Lead SA are similar for controllers and processors. However, in cases involving both a controller and a processor, the competent Lead SA is the Lead SA of the controller.
Companies not Established in the EU – Companies without an establishment in the EU cannot benefit from the One Stop Shop mechanism. In practice, such companies must deal with the various local SAs in the countries where they are active, through the local EU representative the GDPR requires in-scope entities to appoint.
Companies’ Obligations towards Lead SA – Companies must register their data protection officer with the Lead SA, consult the Lead SA in relation to processing activities which may result in a high risk to individuals, and notify the Lead SA of a data breach where reporting is required. Furthermore, a Lead SA will coordinate operations involving local SAs in the context of joint operations or investigations. The Lead SA will also have primary responsibility for dealing with a complaint from an individual in cross-border cases.
Practical Considerations – The WP29 clarifies that it is companies’ responsibility to determine their main establishment and to identify their Lead SA. Note that, however, these determinations may be challenged by a SA in the course of a particular case, claim or investigation. It is important, accordingly, that companies document their assessment on the basis of objective criteria and put this on the top of their GDPR-compliance priorities.
The WP29 guidelines are available here.
The FAQs are available here.
* * * * *
Alston & Bird is closely following EU guidance on the One Stop Shop and is advising multinational organizations on how to identify their Lead SA. For more information, contact Jim Harvey, David Keating, or Jan Dhont.