What is a “Lead Supervisory Authority (Lead SA)” or the“one-stop-shop mechanism”? How do we identify the Lead SA? How have the DPAs across the EU reacted so far? These are the questions we will try to respond to in this article. Although it seems like an easy assessment in theory, the practice has shown that these questions do not have a straightforward response in many cases and a detailed analysis of the local activities of businesses is required.
The GDPR requires that each member state appoints an independent public authority (Data Protection Authority or DPA), with investigatory, corrective and advisory powers. Their role boils down to embedding data protection in the DNA of the member state.
Each DPA is competent to act in the territory of its member state, which would mean that an organisation that does business in multiple member states would be subject to multiple DPAs. That could create chaos and a big administrative burden to controllers and processors. To tackle this issue and enhance legal certainty, the GDPR established the “one-stop-shop” mechanism– basically letting you appoint one (lead) supervisory authority that is in charge of enforcing EU wide enforcement.
“Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.” – European Commission
This mechanism is only relevant where a controller or processor is carrying out the cross-border processing of personal data.
“Cross-border processing” in the GDPR lingo means:
- processing that takes place in case the controller or the processor has establishments in more than one member state.
- processing of personal data in a single establishment (in the EU) of the controller or the processor which substantially affects or is likely to substantially affect data subjects in more than one member state. On that account, processing with little or no effect does not constitute cross-border processing, regardless of how many individuals it affects.
So whenever cross-border processing takes place, the controller or the processor can benefit from the one-stop-shop mechanism and appoint a Lead SA.
In the recent decision of the French DPA (CNIL) against Clubhouse, the French watchdog decided that as there is no establishment in the EU (Clubhouse has appointed an EU representative in Germany), then the one-stop-shop mechanism does not apply and each DPA to which the individuals affected are subject to, is responsible for enforcement, and so did CNIL.
How it works
Put simply, a Lead SA is the authority with the primary responsibility for dealing with a cross-border data processing activity.
An authority may be ‘concerned’ when:
- there is an establishment of the controller/processor on its territory,
- when data subjects on its territory are substantially or likely to be substantially affected, or
- when a complaint is received.
The Lead SA will coordinate any investigation, involving other ‘concerned’ supervisory authorities. This cooperation procedure (Article 60 GDPR) allows the authorities to exchange information on the matter. The Lead SA shall submit a draft decision to the authorities concerned, which then has to take into account their opinion when issuing the final decision.
For example, a company has establishments in Sweden, Greece and Portugal but the main establishment is in Spain. The processing substantially affects individuals in Austria and Croatia. A Croatian files a complaint with the Croatian DPA. The Croatian DPA will then forward the complaint to the Lead SA (which in this case would be the Spanish DPA as we will see later) and according to the consistency mechanism, we will have one decision about the same matter and not multiple.
How do you determine which is your Lead Supervisory Authority?
Identifying the Lead SA can be challenging. In the WP29 Guidelines, we read that the first step is to determine the location of your ‘main establishment’ or ‘single establishment’ in the EU.
In order to establish where the main establishment is, it is first necessary to identify the central administration in the EU, if any. The approach set out in the GDPR is that the central administration in the EU is the place where the effective and real exercise of management activities that determine the main decisions about the purposes and means of the processing of personal data are taken. If the central administration is not established in the EU, then you need to identify the establishment that has decision making power over the purposes and means of processing personal data.
The heart of the one-stop-shop mechanism is that one Lead SA will be in charge of the cross border processing in the EU. However, there can be cases where an establishment other than the central administration makes autonomous decisions regarding the purposes and means of a specific processing activity. In this case, there can be many Lead SAs appointed. For example, a multinational company has their HR decision-making centre in Spain for all EU employees, while the marketing decision-making centre is located in Denmark. The Lead SA for processing activities regarding HR purposes will be the Spanish DPA, while the Lead SA for processing activities regarding direct marketing purposes will be the Danish DPA.
Something that occurs quite often is that there are several establishments in the EU, but the main establishment is located outside the EU. That is even more relevant now, in the post-Brexit era, where companies have their central administration in the UK and have appointed the ICO as the Lead SA, but after Brexit, they are found without a Lead SA. The GDPR is silent on how to deal with this case. WP29 guidelines recommend that a company should designate an establishment that has the authority to implement decisions about processing and have sufficient assets to take liability for the processing as the main establishment. If there is no establishment in the EU with such authority, then the organisation cannot benefit from the one-stop-shop mechanism and it will be subject to the jurisdiction of each national SA where they are established or where individuals are affected by the processing.
One question that we often receive in these borderline cases is “Which SA shall we choose?” or in other words “Which is the most lenient SA in order to appoint them as a Lead SA?”
The GDPR does not allow for “forum shopping”. To put it another way, determining your Lead SA is not cherry-picking. The assessment on whether the establishment has decision making power must reflect the reality. Just because you have a contract in place that says so (e.g. a Data Sharing Agreement), it is not enough.
Criticisms against having a Lead Supervisory Authority
Although the benefits for organisations from the one-stop-shop mechanisms are evident for both data subjects and organizations (fewer costs, time-saving and avoid the risk of individual DPAs taking different approaches with regard to cross-border data processing activities), the mechanism has received some negative attention.
Both the Irish and Luxembourgian DPA have been fiercely accused by various DPAs (Germany’s federal data regulator (BfDI) has accused Ms Dixon in a letter of making “simply false” claims about her and others’ work ) for slowing down GDPR enforcement against Facebook, which have their Headquarters in Ireland. The French watchdog CNIL has actively demonstrated their frustration and moved faster by imposing fines to both Google and Amazon, although they are not the Lead SA.
Another interesting case comes from Belgium. The Belgian DPA initiated judicial proceedings against several members of the Facebook group before the Belgian Courts. The Court of Appeal of Brussels referred a number of questions to the CJEU aimed at clarifying whether the GDPR’s one-stop-shop mechanism prevents a national DPA (other than the lead DPA) from initiating court proceedings in its member state against infringements of the GDPR with respect to cross-border data processing. The AG in his Opinion in January 2021 noted that data subjects can bring proceedings directly against controllers or processors before the courts of the Member State in which they reside. He also emphasized that the lead DPA cannot be deemed the sole enforcer of the GDPR in cross-border situations and must closely cooperate with other concerned DPAs, in accordance with the relevant rules set forth under the GDPR. The CJEU has started its deliberation, and the final judgment is expected in the coming months.
If you are an organisation that is involved in cross-border processing activities, you can benefit from the “one-stop-shop” mechanism. Consider which is your main establishment and if you do not have a clear case, which of your establishments has (real and not just in papers) decision making power over the purposes and the means of processing. For more details, especially for borderline cases, check the WP29 Guidelines.