Mechanisms of the lead authority and the one-stop shop

17 April 2018

Directive 95/46

Directive 95/46 dealt only very briefly with the issue of cooperation between the various supervisory authorities where a processing of personal data fell within the competence of more than one national supervisory authority. The details of such cooperation were certainly not addressed by the Directive, let alone the issue of the competent authority in the case of a multinational established on the territories of several Member States of the European Union.

Corrective mechanisms in the GDPR

In order to counter this lack of coordination, and to ensure that its provisions are applied consistently throughout the European Union, the GDPR has put in place several mechanisms, and in particular the mechanism of the “lead authority” and the “one-stop shop”.

This principle has important implications for multinationals which have several establishments within the European Union. Indeed, for enterprises established in several countries of the European Union, several national supervisory authorities may be involved. In that case, which one is competent?  

Lead authority

In order to facilitate the application of the rules it contains and the control of these, the GDPR has first set up a system of “lead authority”.

Thus, in the event that the controller or the processor is established in several Member States, the supervisory authority responsible for the main establishment will be considered as the “lead authority” for so called cross-border processing of personal data (e.g. a certain system that is used by all entities of the group in all countries and in the framework of which personal data are processed).

This main establishment is, in principle, the place of the central administration of the enterprise in the European Union (head office), unless the decisions on the purposes and means of the processing of personal data are made in another establishment, in which case the latter will be considered to be the main establishment.

Take the example of a bank which has its registered office in Frankfurt and all of whose processing activities are organised from that place, except for its insurance department, located in Vienna. If this latter has the power to make decisions concerning the processing of personal data related to this activity and has the power to implement these throughout the European Union, it will be the Austrian supervisory authority which will be the “lead authority” for this processing for insurance purposes. 

Where the processing is carried out by a group of undertakings whose headquarters is situated in the European Union, the place of establishment with overall control must be considered as the main establishment of the controller, namely the parent company or the operational headquarters of the group, except where the purposes and means are determined by other establishments.

Important side note at this, is that local processing activities, for which the local company of a group bears the processing responsibility, what will often be the case in the framework of HR, do not fall under the competence of the lead authority. The local supervisor will still remain competent for these processing activities. 

One-stop shop

In addition, under the “one-stop-shopping” principle, undertakings will now have the right to deal with only one supervisory authority, that of the Member State where their main establishment is located, namely the “lead authority”.

Undertakings will thus benefit from a single point of contact within the European Union with regard to protection of personal data, where they carry out cross-border processing of personal data.

However, it should be noted that these rules relating to the “lead authority” and to the mechanism of the “one-stop shop” do not apply where the processing is carried out by public authorities or private bodies in the framework of a task carried out in the public interest. Indeed, in this case, the only competent supervisory authority is the supervisory authority of the Member State in which the public authority or the private body is established.

Furthermore, the Article 29 Working Party also specifies that controllers that do not have an establishment in the European Union are excluded from the “one-stop-shop” mechanism and must deal with the national supervisory authorities of each of the Member States in which they are active, by means of their local representatives.

  • Conclusion

While the intentions of the European legislator in adopting the mechanisms of the “lead authority” and the “one-stop shop” are laudable, and can, to a certain extent, and from a general point of view, facilitate the administrative procedures of the enterprises in their contacts with the national supervisory authorities, the implications of these mechanisms are, in our view, rather limited in terms of human resources because the processing activities in that framework usually can’t be considered as cross-border