Author: Eva Souhrada-Kirchmayer

 

1. Without prejudice to Art. 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Art. 60.
2. By derogation from para. 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
3. In the cases referred to in para. 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Art. 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
4. Where the lead supervisory authority decides to handle the case, the procedure provided in Art. 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Art. 60 para. 3.
5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Arts. 61 and 62.
6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

 

 

I. Introduction

 

For cross-border processing, Art. 56 – contrary to the territoriality principle of Art. 55 – provides for the so-called ‘lead supervisory authority’ to be responsible. With this, the GDPR introduces a major innovation and simplification of the factual recourse to official legal protection, namely the so-called ‘One-Stop-Shop’ principle. The essence of the lead authority principle in the GDPR is that the supervision of cross-border processing should be led by only one SA in the EU, namely by the national SA at the headquarters of the main establishment or the sole establishment of the controller as the ‘lead supervisory authority’. Art. 56 para. 1 regulates the general responsibility of the lead authority; para. 2 provides for exceptions to the general provision of para. 1 (according to Art. 55 para. 2, cross-border data processing in the public interest is exempted from the provisions on the responsibility of the lead SA; see → Art. 55 mn. 9); paras. 3 to 5 address procedural issues (regarding para. 2); and para. 6 is concerned with the concept of the ‘sole interlocutor’.

II. Legislative history

The fact that there were no previous provisions on a standardised and binding procedure across all Member States for cross-border processing issues was one of the triggers for the need for reform of the DPD, which ultimately led to the GDPR.

Art. 51 para. 2 of the Comm-P stipulated that the SA of the main establishment should have sole responsibility for regulating cross-border data processing. This concept corresponded to the idea of exclusive competence and therefore received strong criticism from Member States that feared a loss of sovereignty. In the deliberations, it became clear that the modified form of a One-Stop-Shop should be regulated, in which data subjects can refer to an SA in their own Member State that has the necessary sovereign powers to enforce existing rights. The Parl-R therefore brought in Art. 54a the concept of a lead SA with a coordinating function into play, which, however, wanted to have significantly more extensive powers. Inter alia, a responsibility was regulated for those cases in which the controller has no establishment in the EU, but its processing affected data subjects in several Member States. Subsequently, this case was no longer expressly regulated. The Council finally developed the wording that also remained after the trialogue (Art. 51a of the Council-R).

III. Analysis
1. The concept of the lead SA (para. 1)

As a principle, national SAs enjoy competence within their respective territories. Art. 56 para. 1 sets out an exception to this principle, in case of cross-border processing. A ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, e.g. when a data subject makes a complaint about the processing of his or her personal data. The lead SA will coordinate any investigation, involving other ‘concerned’ SAs.

Identifying a lead SA is only relevant where a controller or processor is carrying out cross-border processing of personal data. Art. 4 no. 23 (see → Art. 4 no. 23 mn. 3 et seq.) defines ‘cross-border processing’ as either the: eng
• processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the
• processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

 

 

 

[…]