One-stop Shop
One of the key features of the GDPR is the principle that it
will provide organisations with a ‘one-stop shop’ when dealing with
international data protection matters.
What this means in practice for a multi-national organisation
that processes HR data is that, instead of potentially having to deal with
national regulatory authorities in each location where it processes data or
where its employees are based, the GDPR will provide such an employer with the
opportunity to appoint a Lead Supervisory Authority (LSA) that will deal with
all relevant matters. The appeal of the ‘one-stop shop’ being that this will
help avoid having to grapple with a host of different rules and enforcement
procedures in different jurisdictions.
Once appointed, the LSA will be the authority with primary
responsibility for dealing with cross-border data processing activity. Amongst
other functions, the LSA will be the authority to which the multi-national
employer will report any data breaches. It will also handle any investigations
into complaints against the way that the employer handles personal data, as
well as being the body that will make decisions about appropriate enforcement
action against the employer. Determining who the LSA is will therefore involve
legal considerations as well as practical and strategic ones.
What guidance do we have on LSAs?
The Article 29 Data Protection Working Party has produced a
concise guideline document for identifying a controller or processor’s lead
supervisory authority. The Guidelines put some ‘flesh on the bones’ of the LSA
provisions at Article 56 of the GDPR.
Which employers are able to appoint a LSA?
Employers that carry out cross-border processing are able to
appoint a LSA. Cross-border processing takes place where either:
- The employer is established in one or more member states and
processes data in connection with the activities of one or more of those
establishments (Limb 1); or - The employer processes data in relation to just one of its
EU establishments but that processing ‘substantially affects’ data subjects
(employees) in more than one member state (Limb 2).
In relation to Limb 2, the Guidelines provide some guidance
on what ‘substantially affects’ means.
The Guidelines state that ‘substantially affects’ should be
interpreted on a case-by-case basis and will take into account:
- the context of the processing;
- the type of data processed;
- the purpose of the processing; and
- factors such as whether the processing (amongst other
factors) is likely to cause damage to individuals, whether the processing
involves the analysis of special categories of personal data and whether the
processing is likely to leave individuals open to discrimination or unfair
treatment.
How do employers determine which is the relevant LSA in
relation to its employment data?
- Where the employer is the data controller and determines the
purposes for which its employment data is processed – the LSA will be the
relevant supervisory authority located in the EU country where the employer has
its central administration for example, a traditional HQ. This rule will apply
unless the key decisions about data processing are taken in another EU country,
in which case the LSA will be the one located where decisions about any
processing are made. The Guidelines outline factors which may help in deciding
where such decisions are made. - Where the employer is the data processor and just processes
data – the LSA will be where the data processing employer has its central
administration, unless its main data processing activities take place in
another EU country (in which case the relevant supervisory authority will be
the one located in that location). - Where an employer is both the data controller and the data
processor – the LSA will be the LSA for the data controller.
The Guidelines contain a useful checklist for employers to
help identify the relevant LSA.
What if an employer is located outside of the EU and has no
establishments in the EU?
In this case, it is not possible for the employer to appoint
a LSA and it must deal with the supervisory authority in each location where it
operates and/or where any data processing affects its data subjects. This
potentially leads to employers based outside the EU without an establishment
with the headache of having to deal with a number of different supervisory
authorities.
Can employers bypass the Guidelines in place for determining
the LSA and select a different supervisory authority to be the LSA?
No – the Guidelines specifically outlaw ‘forum hopping’. In
other words, it is not possible for an organisation to appoint a particular
supervisory authority to be its LSA, eg on the basis that it reputedly takes a ‘lighter
touch’ approach to enforcement measures as compared to another authority.
Why is it important to understand which authority is the LSA?
Under the GDPR, there are certain circumstances where the
LSA must be notified. For example, notification is required when registering a
data protection officer or in the event of a data breach. It is therefore key
that the LSA is determined, to ensure that a business complies (in a timely
manner) with all relevant obligations. Another reason for getting this issue
right is that the new European Data Protection Board will have the power to
investigate the nomination of a LSA and recommend that an alternative LSA is
appointed.
What if a multi-national employer does not want to appoint a
LSA?
There appear to be no sanctions in the Guidelines for an
employer that fails to appoint a LSA. However, it remains to be seen whether
(given the clear potential advantages to businesses of the ‘one-stop shop’
system) the non-appointment of a LSA by an organisation that is involved in cross-border
processing could cause a supervisory authority to question that organisation’s
understanding of the GDPR in other areas.
However, it is rather assumed that, as the new provisions
should make administration of cross border data protection significantly
simpler, relevant employers will choose to take advantage of these rules.
Is the LSA the only supervisory authority that can become
involved with cross-border issues?
No. The Guidelines acknowledge that there will be situations
where other supervisory authorities may want or need to become involved with
data protection matters. This may happen, for example, where a complaint is
lodged with a particular supervisory authority that is not the LSA or where
employees live or work in a different location to that of the LSA and are
substantially affected by processing of their data in that location. This may
be the case, for example, in a situation where specific rules relating to the
processing of employment data have been implemented in one Member State (under
derogation to the GDPR) and therefore only affect employees in that one Member
State.
In a situation such as the above, the local supervisory
authority will be a concerned supervisory authority and will liaise with the
LSA about the relevant matter. It will be open for the LSA and the supervisory
authority concerned to decide amongst them who shall lead a particular case and
they should cooperate to determine how any matter is handled and resolved.
As someone responsible for HR data what should I be doing
now, in connection with the appointment of a LSA?
- First and foremost, identify if your business is undertaking
cross-border processing of HR data. - If so, identify whether your business is the data controller
or data processor in respect of this cross-border processing of HR data. - Identify the relevant LSA for HR data in consultation with
the Guidelines. - Ensure that you are confident in your choice of LSA as each
supervisory authority has the right to rebut your identification of them as
your LSA. - Communicate who the relevant LSA is for HR data to the
relevant people within the organisation. - Make contact with the relevant LSA as and when necessary to
seek assistance on any areas of ambiguity. - Keep an eye out for any country-specific guidance published
by that LSA or any secondary legislation enacted in that jurisdiction relating
to HR data.
Rachel Ashwood is Senior Counsel at Taylor Vinters Cambridge
office. Razia Begum is a Senior Associate at Taylor Vinters London office. Both
Rachel and Razia are specialists in employment law.