The Article 29 Working Party has now adopted and published WP 244/16 Guidelines for identifying a controller or processor’s lead supervisory authority.
Under the GDPR, identifying a lead supervisory authority is relevant only where a controller or processor is carrying out the ‘cross-border processing’ (as defined in the GDPR, Article 4(23)) of personal data. That definition in Article 4(23) includes a tricky reference to cross-border processing including processing which ‘substantially affects or is likely to substantially affect data subjects in more than one Member State’. The Article 29 Working Party give considerable attention to the meaning of ‘substantially affects’ but, while offering a number of factors that might be taken into account, conclude that this will be established on a case by case basis.
Identifying the lead supervisory authority flows, largely, from identifying the main establishment of a data controller. But the guidelines acknowledge that it is not always that simple and state:
‘it will be essential for companies to identify precisely where the decisions on purpose and means of processing are taken. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. These include registering a data protection officer; notifying a risky processing activity or notifying a data security breach. The relevant provisions of the GDPR are intended to make these compliance tasks manageable.’
There is a section in the guidelines headed (somewhat strangely, given the context) ‘Borderline cases’ which states that the GDPR does not allow forum shopping but it might be argued that the section provides a primer on how best to forum shop. The guidelines anticipate clashes, stating:
‘The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavour to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.’
The guidelines apply to both controllers and processors but acknowledge that the controllers are more likely to be affected:
‘in cases involving both controller and processor, the competent lead supervisory authority should be the lead supervisory authority for the controller. In this situation, the supervisory authority of the processor will be a ‘supervisory authority concerned’ and should participate in the cooperation procedure. This rule will only apply where the controller is established in the EU. In cases when controllers are subject to the GDPR on the basis of Art 3.2, they will not be subject to the one stop shop mechanism.’