Authored by Patrick Van Eecke, Loriane Sangaré-Vayssac and Enrique Capdevila this article was originally published in Privacy Laws & Business International Report, December 2023.

Patrick van Eecke, Loriane Sangaré-Vayssac and Enrique Capdevila of Cooley analyse the updated guidelines for identifying the Lead Supervisory Authority and the draft GDPR Procedural Regulation.

Following the adoption of the final version of the European Data Protection Board (EDPB) Guidelines on identifying the lead supervisory authority (LSA), which clarify the conditions under which controllers and processors can benefit from the One-Stop-Shop mechanism (OSS), the European Commission published a proposal for the GDPR Procedural Regulation.

This future regulation will lay down additional procedural rules relating to the enforcement of the GDPR, and seeks to harmonize and reinforce the application of data protection rules across the Member States through an enhanced OSS. As part of the legislative process, the EDPB and the European Data Protection Supervisor (EDPS) published on 19 September a joint opinion on the draft GDPR Procedural Regulation outlining suggested changes to the existing draft.1

This article aims to provide some insights regarding the OSS and the future GDPR enforcement rules that will bind all EU supervisory authorities.

What is the OSS and which entities can benefit from it?

The OSS allows controllers and processors established in the EEA to deal with a single LSA. The LSA will be the sole interlocutor for the cross-border processing carried out by the controller or processor. Organizations wishing to benefit from this mechanism must fulfil two criteria:

  1. be established in the EEA and
  2. engage in cross-border processing of personal data.

On this basis, they must conduct an assessment to determine the location of their "main establishment", following which, the LSA will be the supervisory authority of the Member State where their main establishment is located.

What is cross-border processing of personal data?

The term "processing" is very broad and includes any operation or set of operations which is performed on personal data or on sets of personal data (including simply collecting, storing or deleting those data). Identifying the LSA is only relevant where a controller or processor is carrying out "cross- border processing of personal data", which can happen in two scenarios:

  • the controller or processor has more than one establishment in the EU (at least in two Member States) and the processing of personal data takes place in the context of the activities of these establishments; or
  • the controller or processor has one establishment in the EEA, but the processing of personal data substantially affects or is likely to affect data subjects in more than one Member State.

In the second scenario, where the processor or controller has a single establishment in the EEA, the processing at stake must "substantially affect or [be] likely to affect data subjects in more than one Member State". The EDPB Guidelines further delve into this condition, and provide various examples, such as processing which causes, or is likely to cause, loss or distress to individuals, or processing which leaves individuals open to discrimination or unfair treatment.

Which activities are included?

Which processing activities are considered to "substantially affect or [be] likely to affect data subjects in other Member States"?

The GDPR does not clarify which processing activities are deemed to substantially affect data subjects in other Member States. The Guidelines, how- ever, explain that the concept of "substantially affecting data subjects" is aimed at preventing all processing activities where the controller or processor have a single establishment in the EEA, from falling within the scope of the definition of "cross- border processing". For data processing to affect an individual, the EDPB considers that processing "must have some form of impact" on the data subjects, which will be subject to a case-by-case basis assessment.

In the Guidelines, the EDPB sets out a non-exhaustive list of examples of types of processing which meet the threshold of having "some form of impact". This is the case, for example, where processing causes, or is likely to cause, damage, loss or distress to individuals, where it has an actual effect in terms of limiting rights or denying an opportunity, or where it has unlikely, unanticipated or unwanted consequences for the individuals.

Identifying the main establishment

In relation to a controller with more than one establishment in the EEA, its main establishment would be the place of its central administration in the EEA, unless the decisions on the purpose and means of the processing of personal data are taken in another establishment which has the power to have such decisions implemented.

In relation to a processor with more than one establishment in the EEA, the main establishment would be the place of its central administration in the EEA, or (if the processor has no central administration in the EEA), the establishment of the processor in the EEA where the main processing activities take place.

It is important to consider that the mere presence and use of technical means and technologies for processing personal data or processing activities in the EEA does not constitute in itself a main establishment.

Criteria determining 'main establishment'

The EDPB Guidelines outline a non-exhaustive list of factors to deter- mine the location of a controller's main establishment in the EEA, the most relevant being:

  • the establishment where the decisions about the purpose and means of the processing are given final "sign off";
  • the establishment where the decisions about business activities that involve data processing are made;
  • the establishment where the power to have decisions implemented effectively lies;
  • the establishment where the director with overall management responsibility for the cross-border processing is located; and
  • the establishment where the con- troller or processor is registered as a company (if in a single territory).

It is important to note that a supervisory authority may challenge an organization's decision to appoint a LSA.

What is the role of a lead supervisory authority?

The LSA is the authority primarily responsible for dealing with cross- border data processing activities, for example, to supervise complaints from data subjects as well as carrying out investigation procedures and enforcement actions.

Being under the supervision of one single supervisory authority in the EEA can present significant advantages with respect to various compliance duties under the GDPR. For example, the GDPR introduced the requirement for a personal data breach to be notified to the LSA in the event of a cross-border breach.

However, in some cross-border processing scenarios, several LSAs can be involved. In this regard, the EDPB has brought an interesting clarification in the last version of the Guidelines, in relation to joint-controllers. Since the GDPR does not address this situation, the EDPB clarifies that the main establishment of one joint-controller cannot be considered as the main establishment of both joint-controllers. Therefore, in this instance, each joint-controller can be supervised by its own LSA.

When can several lead supervisory authorities be competent?

Depending on the processing role of the establishment(s) in question, several LSAs may be competent:

  • for establishments acting as separate controllers: a multinational company with separate decision- making centres in the EEA acting as separate controllers can have more than one LSA;
  • for establishments acting as joint- controllers: the GDPR does not address this situation. The EDPB introduced an important clarification in its final version of the guide- lines, which is that the main establishment of one joint-controller cannot be considered as the main establishment of both joint-con- trollers. Therefore, in this instance, each joint-controller can be super- vised by its own LSA; and
  • for an establishment acting as processor: very often, one or more con- troller(s) will be involved in the processing together with the processor. In this case, the LSA will be the one competent to act as the lead for the controller, which means that multiple LSAs can be involved. The supervisory authority of the processor will be a "supervisory authority concerned".

Are there limits to the OSS?

Yes, for example, in the case of "local data processing activities", supervisory authorities will respect each other's competence to deal with data processing activity on a local basis. In this case, the OSS does not apply.

In addition to this, it is important to highlight that having appointed a LSA does not prevent other supervisory authorities from assuming jurisdiction over matters concerning individuals residing within their territories. This is in accordance with the principles of mutual assistance (art. 61 GDPR), and joint operations of supervisory authorities (art. 62 GDPR), whereby a LSA can allow a concerned supervisory authority to handle the case, where such concerned authority informed the LSA in the first place about this specific case.

Finally, even where the LSA decides to handle the case, the cooperation and consistency mechanisms require cooperation between the LSA, and the other concerned authority(/ies) to reach consensus over the matter. Where the supervisory authorities are unable to reach a consensus in a cross-border case, the GDPR provides for a dispute resolution mechanism, which requires the ultimate intervention of the EDPB to decide on the case, with a view to ensure a consistent interpretation of the GDPR.

How does the draft GDPR procedural regulation address the OSS?

On 4 July 2023, the European Commission published the draft GDPR Procedural Regulation, which harmonizes some procedural matters in cross- border cases. Although the OSS mechanism remains unchanged, the proposal complements the GDPR by detailing several procedural rules for the GDPR cross-border enforcement.

This proposal acknowledges the existence of different national procedural rules that hinder the smooth and effective functioning of the GDPR's cooperation and dispute resolution mechanisms in cross-border cases. To solve this issue, the proposal specifies rules for the involvement of complain- ants in the procedure and for the rejection of complaints in cross-border cases and clarifies the roles of the LSA and those of the authority with which the complaint was lodged. Moreover, the proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB. Finally, it establishes a framework for all supervisory authorities to provide their views early in the investigation procedure.

Joint opinion by EDPB and EDPS

In their joint opinion on the draft GDPR Procedural Regulation, the EDPB and the EDPS express their views and concerns with respect to the various procedural elements laid down in the draft regulation. As an example, they suggest that the supervisory authority with which the complaint was lodged should be able to make inquiries with the relevant parties with a view to preliminarily establish competence. This means that the supervisory authorities would be entitled to assess whether the matter involves cross-border data processing or if it is a purely local matter.

According to the EDPB and EDPS, the person who filed the com- plaint should be able to express their thoughts on the preliminary findings, which is not the case in the existing draft. Moreover, they suggest that the competent supervisory authorities are informed of the views received from the parties under investigation before the revised draft decision is circulated by the LSA, to avoid the risk that the final decision includes elements that were not brought to the attention of the competent authorities.

What steps should companies be taking?

  1. Companies that engage in cross- border data processing in the con- text of the activities of their EEA establishments should consider the roles of their entities in the EEA and determine which is their main establishment.
  2. Some companies may decide to formally appoint their LSA, to align with their compliance strategy.
  3. In compliance with the accountability principle, the reasons for appointing one LSA should be documented in an objective assessment, especially if the company finds itself in a borderline situation, where several supervisory authorities may consider themselves as the lead.
  4. This assessment should consider all relevant factors, notably whether the establishment has the authority to implement decisions about the processing and to be liable for the processing, including having sufficient assets.2

Footnotes

1. edpb.europa.eu/system/files/2023- 09/edpb_edps_jointopinion_202301_ proceduralrules_ec_en.pdf

2. EDPB Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority; 10 October 2022, section 36

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.