With the 28 Member States of the European Union (27 after Brexit), it seems easy to establish which supervisory authority will be competent to supervise the activities of your organisation when it is acting as a controller. That would be the authority in your country of establishment, right? Well, it is somewhat more complex than that. In this post, we will brief you about the supervisory landscape after the General Data Protection Regulation or GDPR commences effect on May 25th.
There are two European bodies that might seem relevant at first sight. The first is the European Data Protection Supervisor or EDPS. However, this is, and will remain, the supervisor of European institutional data processing activities. Unless you are related to one of the EU institutions or bodies, it is unlikely you will ever encounter the jurisdiction of the EDPS, although it has some co-operating and co-coordinating tasks.
The second institution is the European Data Protection Board or EDPB (art. 68), the successor of the Article 29 Working Party. The latter had to promote the uniform application of the ‘old’ privacy directive (95/46). On May 25, the EDPB will replace the Working Party, with the purpose of applying the GDPR consistently across the EU. The EDPS will host the secretariat of the EDPB and will also support its analytical work.
Member States will keep their existing supervisory authorities, which under the GDPR can act as a Lead Supervisory Authority (LSA). Deciding which supervisory authority acts as the LSA is done by determining the sole or main establishment of the controller carrying out cross-border processing activities (art. 56 par. 1 GDPR). The LSA is the sole interlocutor for the controller regarding its cross-border data processing activity (art. 56 par. 6 GDPR).
Exceptions to this regime are organisations acting on the basis of processing grounds from art. 6(c) and (e) GDPR, that is to comply with a legal obligation or to perform a public task. They find their LSA to be the one in the country determining the legal obligation or public task (art. 55 par. 2 GDPR). Supervisory authorities do not have competence over courts processing personal data in their judicial capacity (art. 55 par. 3 GDPR).
If a complaint concerns only a processing activity in a Member State different from the one the main establishment of the controller is in, the supervisory authority of the former Member State can take action (art. 56 par. 2 GDPR). It will then inform the LSA and the LSA can decide whether to take the lead (art. 56 par. 3 GDPR). In case of disagreement between supervisory authorities, including the LSA, the EDPB takes the final decision (art. 65 GDPR).
Guidance on all the concepts relevant to determining which supervisory authorities will have a say on your processing activities can be found in a guidance document from the Article 29 Working Party found here: https://goo.gl/BCkvgV. For your organisation, it is important to know that forum shopping is not allowed and that supervisory authorities have the possibility to establish their jurisdiction on the basis of objective criteria.
PrivacyPerfect is a leading European GDPR compliance software vendor with thorough knowledge of European and national privacy legislation.