Mervinskiy 496

Page 14

Guidelines8/2022onidentifyingacontrollerorprocessors leadsupervisoryauthority Adoptedon10October2022

Version1.0 10October2022 AdoptionoftheGuidelines(updatedversionofthe previousguidelinesWP244rev.01adoptedbytheWorking Party29andendorsedbytheEDPBon25May2018)fora targetedpublicconsultation.

Adoptedversionforpublicconsultation 2 Versionhistory
Adoptedversionforpublicconsultation 3 Tableofcontents 0 Preface.............................................................................................................................................4 1 Identifyingaleadsupervisoryauthority:thekeyconcepts 5 1.1 Crossborderprocessingofpersonaldata............................................................................5 1.1.1 Substantiallyaffects......................................................................................................5 1.2 Leadsupervisoryauthority......................................................................................................6 1.3 Mainestablishment.................................................................................................................6 2 Stepstoidentifytheleadsupervisoryauthority 7 2.1 Identifythemainestablishmentforcontrollers 7 2.1.1 Criteriaforidentifyingacontrollersmainestablishmentincaseswhereitisnotthe placeofitscentraladministrationintheEEA.................................................................................8 2.1.2 Groupsofundertakings 9 2.1.3 Jointcontrollers 9 2.2 Borderlinecases 10 2.3 Processor 11 3 Otherrelevantissues.....................................................................................................................11 3.1 Theroleofthesupervisoryauthorityconcerned................................................................11 3.2 Localprocessing....................................................................................................................12 3.3 CompaniesnotestablishedwithintheEU 12 ANNEXQuestionstoguidetheidentificationoftheleadsupervisoryauthority 13 1 Isthecontrollerorprocessorcarryingoutthecrossborderprocessingofpersonaldata?.....13 2 Howtoidentifytheleadsupervisoryauthority......................................................................13 3 Arethereanyconcernedsupervisoryauthorities?.................................................................14

TheEuropeanDataProtectionBoard

HavingregardtoArticle70(1)(e)and(l)oftheRegulation2016/679/EUoftheEuropeanParliament andoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessing ofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC, (hereinafterGDPR),

HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended bytheDecisionoftheEEAjointCommitteeNo154/2018of6July20181 ,

HavingregardtoArticle12andArticle22ofitsRulesofProcedure,

HavingregardtotheArticle29WorkingPartyGuidelinesforidentifyingacontrollerorprocessorslead supervisoryauthority,WP244rev.01,

HavingregardtotheEDPBGuidelines07/2020ontheconceptsofcontrollerandprocessorinthe GDPR,

HASADOPTEDTHEFOLLOWINGGUIDELINES

0PREFACE

1. On5April2017,theArticle29WorkingPartyadopteditsGuidelinesforidentifyingacontrolleror processorsleadsupervisoryauthority(WP244rev.01)2,whichwereendorsedbytheEuropeanData ProtectionBoard(hereinafterEDPB)atitsfirstPlenarymeeting3.Thisdocumentisaslightlyupdated versionofthoseguidelinesAnyreferencetotheWP29Guidelinesforidentifyingacontrolleror processorsleadsupervisoryauthority(WP244rev.01)should,fromnowon,beinterpretedasa referencetotheseEDPBguidelines.

2. TheEDPBhasnoticedthattherewasaneedforfurtherclarifications,specificallyregardingthenotion ofmainestablishmentinthecontextofjointcontrollershipandtakingintoaccounttheEDPB Guidelines07/2020ontheconceptsofcontrollerandprocessorintheGDPR4 .

3. Theparagraphconcerningthismatterhasbeenrevisedandupdated,whiletherestofthedocument

documents/guidelines/guidelines072020conceptscontrollerandprocessorgdpr_en

Adoptedversionforpublicconsultation 4
wasleftunchanged,exceptforeditorialchanges.Therevisionconcerns,morespecifically,Section 2.1.3onjointcontrollers. 1ReferencestoMemberStatesmadethroughoutthisdocumentshouldbeunderstoodasreferencestoEEA MemberStates. 2Availableathttp://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=611235 3Seehttps://edpb.europa.eu/news/news/2018/endorsementgdprwp29guidelinesedpb_en. 4SeeGuidelines07/2020ontheconceptsofcontrollerandprocessorintheGDPR,version2.0adoptedon7July 2021,paragraphs161,162and166,availableathttps://edpb.europa.eu/ourworktools/our

1.1 Crossborderprocessingofpersonaldata

4. Identifyingaleadsupervisoryauthorityisonlyrelevantwhereacontrollerorprocessoriscarryingout thecrossborderprocessingofpersonaldata.Article4(23)GDPRdefinescrossborderprocessingas eitherthe:

processingofpersonaldatawhichtakesplaceinthecontextoftheactivitiesofestablishments inmorethanoneMemberStateofacontrollerorprocessorintheUnionwherethecontrolleror processorisestablishedinmorethanoneMemberState;orthe

processingofpersonaldatawhichtakesplaceinthecontextoftheactivitiesofasingle establishmentofacontrollerorprocessorintheUnionbutwhichsubstantiallyaffectsorislikely tosubstantiallyaffectdatasubjectsinmorethanoneMemberState

5. ThismeansthatwhereanorganisationhasestablishmentsinFranceandRomania,forexample,and theprocessingofpersonaldatatakesplaceinthecontextoftheiractivities,thenthiswillconstitute crossborderprocessing.

6. Alternatively,theorganisationmayonlycarryoutprocessingactivityinthecontextofitsestablishment inFrance.However,iftheactivitysubstantiallyaffects orislikelytosubstantiallyaffect data subjectsinFranceandRomaniathenthiswillalsoconstitutecrossborderprocessing.

1.1.1 Substantiallyaffects

7. TheGDPRdoesnotdefinesubstantiallyoraffects.Theintentionofthewordingwastoensurethat notallprocessingactivity,withanyeffectandthattakesplacewithinthecontextofasingle establishment,fallswithinthedefinitionofcrossborderprocessing.

8. ThemostrelevantordinaryEnglishmeaningsofsubstantialinclude:ofampleorconsiderableamount orsize;sizeable,fairlylarge,orhavingsolidworthorvalue,ofrealsignificance;solid;weighty, important5 .

9. Themostrelevantmeaningoftheverbaffectistoinfluenceortomakeamaterialimpressionon. Therelatednouneffectmeans,amongstotherthings,aresultoraconsequence6 Thissuggests thatfordataprocessingtoaffectsomeoneitmusthavesomeformofimpactonthem.Processingthat doesnothaveasubstantialeffectonindividualsdoesnotfallwithinthesecondpartofthedefinition ofcrossborderprocessing.However,itwouldfallwithinthefirstpartofthedefinitionwherethe processingofpersonaldatatakesplaceinthecontextoftheactivitiesofestablishmentsinmorethan oneMemberStateofacontrollerorprocessorintheUnion,wherethecontrollerorprocessoris establishedinmorethanoneMemberState.

10. Processingcanbebroughtwithinthesecondpartofthedefinitionifthereisthelikelihoodofa substantialeffect,notjustanactualsubstantialeffect.Notethatlikelytodoesnotmeanthatthere isaremotepossibilityofasubstantialeffect.Thesubstantialeffectmustbemorelikelythannot.On theotherhand,italsomeansthatindividualsdonothavetobeactuallyaffected:thelikelihoodofa substantialeffectissufficienttobringtheprocessingwithinthedefinitionofcrossborderprocessing.

Adoptedversionforpublicconsultation 5 1IDENTIFYINGALEADSUPERVISORYAUTHORITY:THEKEYCONCEPTS
5OxfordEnglishDictionary. 6OxfordEnglishDictionary

11. Thefactthatadataprocessingoperationmayinvolvetheprocessingofanumber evenalarge numberofindividualspersonaldata,inanumberofMemberStates,doesnotnecessarilymeanthat theprocessinghas,orislikelytohave,asubstantialeffect.Processingthatdoesnothaveasubstantial effectdoesnotconstitutecrossborderprocessingforthepurposesofthesecondpartofthe definition,regardlessofhowmanyindividualsitaffects.

12. SupervisoryAuthoritieswillinterpretsubstantiallyaffectsonacasebycasebasis.Wewilltakeinto accountthecontextoftheprocessing,thetypeofdata,thepurposeoftheprocessingandfactorssuch aswhethertheprocessing:

o causes,orislikelytocause,damage,lossordistresstoindividuals;

o has,orislikelytohave,anactualeffectintermsoflimitingrightsordenyinganopportunity;

o affects,orislikelytoaffectindividualshealth,wellbeingorpeaceofmind;

o affects,orislikelytoaffect,individualsfinancialoreconomicstatusorcircumstances;

o leavesindividualsopentodiscriminationorunfairtreatment;

o involvestheanalysisofthespecialcategoriesofpersonalorotherintrusivedata,particularlythe personaldataofchildren;

o causes,orislikelytocauseindividualstochangetheirbehaviourinasignificantway;

o hasunlikely,unanticipatedorunwantedconsequencesforindividuals;

o createsembarrassmentorothernegativeoutcomes,includingreputationaldamage;or

o involvestheprocessingofawiderangeofpersonaldata.

Adoptedversionforpublicconsultation 6
13. Ultimately,thetestofsubstantialeffectisintendedtoensurethatsupervisoryauthoritiesareonly requiredtocooperateformallythroughtheGDPRsconsistencymechanism"whereasupervisory authorityintendstoadoptameasureintendedtoproducelegaleffectsasregardsprocessing operationswhichsubstantiallyaffectasignificantnumberofdatasubjectsinseveralMemberStates7 1.2 Leadsupervisoryauthority 14. Putsimply,aleadsupervisoryauthorityistheauthoritywiththeprimaryresponsibilityfordealing withacrossborderdataprocessingactivity,forexamplewhenadatasubjectmakesacomplaintabout theprocessingofhisorherpersonaldata. 15. Theleadsupervisoryauthoritywillcoordinateanyinvestigation,involvingotherconcerned supervisoryauthorities. 16. Identifyingtheleadsupervisoryauthoritydependsondeterminingthelocationofthecontrollers mainestablishmentorsingleestablishmentintheEU.Article56GDPRsaysthat: thesupervisoryauthorityofthemainestablishmentorofthesingleestablishmentofthe controllerorprocessorshallbecompetenttoactasleadsupervisoryauthorityforthecross borderprocessingcarriedoutbythatcontrollerorprocessorinaccordancewiththe [cooperation]procedureprovidedinArticle60. 1.3 Mainestablishment 17. Article4(16)GDPRstatesthatmainestablishmentmeans: 7SeeRecital135GDPR.

asregardsacontrollerwithestablishmentsinmorethanoneMemberState,theplaceofits centraladministrationintheUnion,unlessthedecisionsonthepurposesandmeansofthe processingofpersonaldataaretakeninanotherestablishmentofthecontrollerintheUnionand thelatterestablishmenthasthepowertohavesuchdecisionsimplemented,inwhichcasethe establishmenthavingtakensuchdecisionsistobeconsideredtobethemainestablishment;

asregardsaprocessorwithestablishmentsinmorethanoneMemberState,theplaceofits centraladministrationintheUnion,or,iftheprocessorhasnocentraladministrationinthe Union,theestablishmentoftheprocessorintheUnionwherethemainprocessingactivitiesin thecontextoftheactivitiesofanestablishmentoftheprocessortakeplacetotheextentthat theprocessorissubjecttospecificobligationsunderthisRegulation;

2STEPSTOIDENTIFYTHELEADSUPERVISORYAUTHORITY

18. Inordertoestablishwherethemainestablishmentis,itisfirstlynecessarytoidentifythecentral administrationofthecontrollerintheEEA,ifanyTheapproachimpliedintheGDPRisthatthecentral administrationintheEUistheplacewheredecisionsaboutthepurposesandmeansoftheprocessing ofpersonaldataaretaken,andthisplacehasthepowertohavesuchdecisionsimplemented.

19. TheessenceoftheleadsupervisoryauthorityprincipleintheGDPRisthatthesupervisionofcross borderprocessingshouldbeledbyonlyonesupervisoryauthorityintheEU.Incaseswheredecisions relatingtodifferentcrossborderprocessingactivitiesaretakenwithintheEUcentraladministration, therewillbeasingleleadsupervisoryauthorityforthevariousdataprocessingactivitiescarriedout bythemultinationalcompany.However,theremaybecaseswhereanestablishmentotherthanthe placeofcentraladministrationmakesautonomousdecisionsconcerningthepurposesandmeansofa specificprocessingactivity.Thismeansthattherecanbesituationswheremorethanonelead supervisoryauthoritycanbeidentified,i.e.incaseswhereamultinationalcompanydecidestohave separatedecisionmakingcentres,indifferentcountries,fordifferentprocessingactivities.

20. Itisworthrecalling,thatwhereamultinationalcompanycentralisesallthedecisionsrelatingtothe purposesandmeansofprocessingactivitiesinoneofitsestablishmentsintheEEA(andthat establishmenthasthepowertoimplementsuchdecisions),onlyoneleadsupervisoryauthoritywillbe identifiedforthemultinational.

21. Inthesesituations,itwillbeessentialforcompaniestoidentifypreciselywherethedecisionson purposeandmeansofprocessingaretaken.Correctidentificationofthemainestablishmentisinthe interestsofcontrollersandprocessorsbecauseitprovidesclarityintermsofwhichsupervisory authoritytheyhavetodealwithinrespectoftheirvariouscompliancedutiesundertheGDPR.These mayinclude,whererelevant,designatingadataprotectionofficerorconsultingforariskyprocessing activitythatthecontrollercannotmitigatebyreasonablemeans.TherelevantprovisionsoftheGDPR areintendedtomakethesecompliancetasksmanageable.

Example1:Afoodretailerhasitsheadquarters(i.e.,itsplaceofcentraladministration)inRotterdam, Netherlands.IthasestablishmentsinvariousotherEEAcountries,whichareincontactwithindividuals there.Allestablishmentsmakeuseofthesamesoftwaretoprocessconsumerspersonaldatafor marketingpurposes.Allthedecisionsaboutthepurposesandmeansoftheprocessingofconsumers personaldataformarketingpurposesaretakenwithinitsRotterdamheadquarters.Thismeansthat

Adoptedversionforpublicconsultation 7
2.1 Identifythemainestablishmentforcontrollers
22. Theexamplesbelowillustratethis:

thecompanysleadsupervisoryauthorityforthiscrossborderprocessingactivityistheDutch supervisoryauthority.

Example2:AbankhasitscorporateheadquartersinFrankfurt,andall8itsbankingprocessingactivities areorganisedfromthere,butitsinsurancedepartmentislocatedinVienna.Iftheestablishmentin Viennahasthepowertodecideonallinsurancedataprocessingactivitiesandtoimplementthese decisionsforthewholeEEA,then,asforeseeninArticle4(16)GDPR,theAustriansupervisoryauthority wouldbetheleadsupervisoryauthorityinrespectofthecrossborderprocessingofpersonaldatafor insurancepurposes,andthecompetentGermansupervisoryauthority(i.e.,theHessensupervisory authority)wouldsupervisetheprocessingofpersonaldataforbankingpurposes,wherevertheclients arelocated9

2.1.1Criteriaforidentifyingacontrollersmainestablishmentincaseswhereitisnotthe placeofitscentraladministrationintheEEA

23. Recital36GDPRisusefulinclarifyingthemainfactorthatshallbeusedtodetermineacontrollers mainestablishmentifthecriterionofthecentraladministrationdoesnotapply.Thisinvolves identifyingwheretheeffectiveandrealexerciseofmanagementactivities,thatdeterminethemain decisionsastothepurposesandmeansofprocessingthroughstablearrangements,takesplace. Recital36GDPRalsoclarifiesthat thepresenceanduseoftechnicalmeansandtechnologiesfor processingpersonaldataorprocessingactivitiesdonot,inthemselves,constituteamainestablishment andarethereforenotdeterminingcriteriaforamainestablishment.

Thecontrolleritselfidentifieswhereitsmainestablishmentisandthereforewhichsupervisory authorityisitsleadsupervisoryauthority.However,thiscanbechallengedbytherespective supervisoryauthorityconcernedafterwards.

Thefactorsbelowareusefulfordeterminingthelocationofacontrollersmainestablishment, accordingtothetermsoftheGDPR,incaseswhereitisnotthelocationofitscentraladministration intheEEA.

o Wherearedecisionsaboutthepurposesandmeansoftheprocessinggivenfinalsignoff?

o Wherearedecisionsaboutbusinessactivitiesthatinvolvedataprocessingmade?

o Wheredoesthepowertohavedecisionsimplementedeffectivelylie?

o WhereistheDirector(orDirectors)withoverallmanagementresponsibilityforthecrossborder processinglocated?

o Whereisthecontrollerorprocessorregisteredasacompany,ifinasingleterritory?

Notethatthisisnotanexhaustivelist.Otherfactorsmayberelevantdependingonthecontrolleror processingactivityinquestion.Ifasupervisoryauthorityhasreasonstodoubtthattheestablishment

Inthecontextofprocessingpersonaldataforbankingpurposes,theEDPBrecognisesthattherearemany differentpurposespursuedbytheseprocessingactivities.However,tosimplifymatters,theEDPBaddressesall ofthemasasinglepurpose.Thesameistrueofprocessingdoneforinsurancepurposes

ItshouldberecalledalsothattheGDPRprovidesforthepossibilityoflocaloversightinspecificcases.See Recital127: Eachsupervisoryauthoritynotactingastheleadsupervisoryauthorityshouldbecompetentto handlelocalcaseswherethecontrollerorprocessorisestablishedinmorethanoneMemberState,butthe subjectmatterofthespecificprocessingconcernsonlyprocessingcarriedoutinasingleMemberStateand involvesonlydatasubjectsinthatsingleMemberState,forexample,wherethesubjectmatterconcernsthe processingofemployees'personaldatainthespecificemploymentcontextofaMemberState. Thisprinciple meansthatthesupervisionofHRdataconnectedtothelocalemploymentcontextcouldfallonseveral supervisoryauthorities.

Adoptedversionforpublicconsultation 8
24.
25.
26.
8
9

identifiedbythecontrollerisinrealitythemainestablishmentforthepurposesoftheGDPR,itcan ofcourserequirethecontrollertoprovidetheadditionalinformationnecessaryforittoprovewhere itsmainestablishmentislocated.

2.1.2Groupsofundertakings

establishmentforthegroup,exceptwheredecisionsaboutthepurposesandmeansofprocessingare takenbyanotherestablishment.Theparent,oroperationalheadquartersofthegroupofundertakings intheEEA,islikelytobethemainestablishment,becausethatwouldbetheplaceofitscentral administration.

carriedout,lieswithinthecompanysheadquarters.Insuchcases,determiningthelocationofthe mainestablishmentandthereforewhichsupervisoryauthorityistheleadsupervisoryauthorityis straightforward.However,thedecisionsystemofgroupofcompaniescouldbemorecomplex,giving independentmakingpowersrelatingtocrossborderprocessingtodifferentestablishments.The criteriasetoutaboveshouldhelpgroupsofundertakingstoidentifytheirmainestablishment.

Adoptedversionforpublicconsultation 9
27. WhereprocessingiscarriedoutbyagroupofundertakingsthathasitsheadquartersintheEEA,the establishmentoftheundertakingwithoverallcontrolispresumedtobethedecisionmakingcentre relatingtotheprocessingofpersonaldata,andwillthereforebeconsideredtobethemain
28. Thereferenceinthedefinitiontotheplaceofacontrollerscentraladministrationworkswellfor organisationsthathaveacentraliseddecisionmakingheadquartersandbranchtypestructure.Insuch cases,itisclearthatthepowertomakedecisionsaboutcrossborderprocessing,andtohavethem
2.1.3Jointcontrollers 29. TheGDPRdoesnotspecificallydealwiththeissueofdesignatingaleadsupervisoryauthoritywhere twoormorecontrollersestablishedintheEEAjointlydeterminethepurposesandmeansofprocessing i.e.jointcontrollers.Article26(1)andRecital79GDPRmakeitclearthatinjointcontrollership situations,thecontrollersshallinatransparentmannerdeterminetheirrespectiveresponsibilitiesfor compliancewiththeirobligationsundertheGDPR. 30. AsrecalledbytheEDPBinitsGuidelinesontheconceptofcontrollerandprocessor10,jointcontrollers needtosetwhodoeswhatbydecidingbetweenthemselveswhowillhavetocarryoutwhichtasks, inordertomakesurethattheprocessingcomplieswiththeapplicableobligationsundertheGDPRin relationtothejointprocessingatstake. 31. Thecompliancemeasuresandrelatedobligationsjointcontrollersshouldconsiderwhendetermining theirrespectiveresponsibilities,inadditiontothosespecificallyreferredinArticle26(1)GDPR,include, amongstothers,theorganisationofcontactwithdatasubjectsandsupervisoryauthorities. 32. Itshouldberecalledthatsupervisoryauthoritiesarenotboundbythetermsofsucharrangement, neitherontheissueofthequalificationofthepartiesasjointcontrollersnoronthedesignatedcontact point11 33. Moreover,thedecisionmakingpowerofjointcontrollersdoesnotcomprisethedeterminationofthe competentsupervisoryauthorityaccordingtoArticles55and56GDPR,ortheabilityofthese supervisoryauthoritiestoexercisetheirtasksandpowersasdescribedinArticles57and58GDPR. 10SeeGuidelines07/2020ontheconceptsofcontrollerandprocessorintheGDPR,paragraphs161,162and 166. 11SeeGuidelines07/2020ontheconceptsofcontrollerandprocessorintheGDPR,paragraph191.

34. ThenotionofmainestablishmentislinkedbyvirtueoftheGDPRtoasinglecontrollerandcannotbe extendedtoajointcontrollershipsituation.Thisiswithoutprejudicetothepossibilityforeachjoint controllertohaveitsownmainestablishment.Inotherwords,themainestablishmentofacontroller cannotbeconsideredasthemainestablishmentofthejointcontrollersfortheprocessingcarriedout undertheirjointcontrol.Therefore,jointcontrollerscannotdesignate(amongtheestablishments wheredecisionsonthepurposesandmeansoftheprocessingaretaken)acommonmain establishmentforbothjointcontrollers.

2.2 Borderlinecases

35. Therewillbeborderlineandcomplexsituationswhereitisdifficulttoidentifythemainestablishment ortodeterminewheredecisionsaboutdataprocessingaretaken.Thismightbethecasewherethere iscrossborderprocessingactivityandthecontrollerisestablishedinseveralMemberStates,butthere isnocentraladministrationintheEEAandnoneoftheEEAestablishmentsaretakingdecisionsabout theprocessing(i.e.decisionsaretakenexclusivelyoutsideoftheEEA).

36. Inthecaseabove,thecompanycarryingoutcrossborderprocessingmaybekeentoberegulatedby aleadsupervisoryauthoritytobenefitfromtheonestopshopprinciple.However,theGDPRdoesnot provideasolutionforsituationslikethis.Inthesecircumstances,thecompanyshoulddesignatethe establishmentthathastheauthoritytoimplementdecisionsabouttheprocessingactivityandtotake liabilityfortheprocessing,includinghavingsufficientassets,asitsmainestablishment.Ifthecompany doesnotdesignateamainestablishmentinthisway,itwillnotbepossibletodesignatealead supervisoryauthority.Supervisoryauthoritieswillalwaysbeabletoinvestigatefurtherwherethisis appropriate.

37. TheGDPRdoesnotpermitforumshopping.Ifacompanyclaimstohaveitsmainestablishmentin oneMemberState,butnoeffectiveandrealexerciseofmanagementactivityordecisionmakingover theprocessingofpersonaldatatakesplacethere,therelevantsupervisoryauthorities(orultimately theEDPB12)willdecidewhichsupervisoryauthorityisthelead,usingobjectivecriteriaandlookingat theevidence.Theprocessofdeterminingwherethemainestablishmentismayrequireactiveinquiry andcooperationbythesupervisoryauthorities.Conclusionscannotbebasedsolelyonstatementsby theorganisationunderreview.Theburdenofproofultimatelyfallsoncontrollersandprocessorsto demonstratetotherelevantsupervisoryauthoritieswheretherelevantprocessingdecisionsaretaken andwherethereisthepowertoimplementsuchdecisions.Effectiverecordsofdataprocessingactivity wouldhelpbothorganisationsandsupervisoryauthoritiestodeterminetheleadsupervisory authority.Theleadsupervisoryauthority,orconcernedsupervisoryauthorities,canrebutthe controllersanalysisbasedonanobjectiveexaminationoftherelevantfacts,requestingfurther informationwhererequired.

38. Insomecases,therelevantsupervisoryauthoritieswillaskthecontrollertoprovideclearevidence,in linewithanyEDPBguidelines,ofwhereitsmainestablishmentis,orwheredecisionsaboutaparticular dataprocessingactivityaretaken.Thisevidencewillbegivendueweightandthesupervisory authoritiesinvolvedwillcooperatetodecidewhichoneofthemwilltaketheleadininvestigations. SuchcaseswillonlybereferredtotheEDPBforadecisionunderArticle65(1)(b)GDPRwhere supervisoryauthoritieshaveconflictingviewsintermsofidentifyingtheleadsupervisoryauthority. However,inmostcases,theEDPBexpectsthattherelevantsupervisoryauthoritieswillbeableto agreeamutuallysatisfactorycourseofaction.

Adoptedversionforpublicconsultation 10
12Seeparagraph35below.

Processor

39. TheGDPRalsoofferstheonestopshopsystemforthebenefitofprocessorsthataresubjecttoGDPR andhaveestablishmentsinmorethanoneMemberState.

40. Article4(16)(b)GDPRstatesthattheprocessorsmainestablishmentwillbetheplaceofthecentral administrationoftheprocessorintheEUor,ifthereisnocentraladministrationintheEU,the establishmentintheEUwherethemainprocessing(processor)activitiestakeplace.

41. However,accordingtoRecital36GDPR,incasesinvolvingbothacontrollerandaprocessor,the competentleadsupervisoryauthorityshouldbetheleadsupervisoryauthorityforthecontroller.In thissituation,thesupervisoryauthorityoftheprocessorwillbeasupervisoryauthorityconcerned andshouldparticipateinthecooperationprocedure.Thisrulewillonlyapplywherethecontrolleris establishedintheEEAIncaseswherecontrollersaresubjecttotheGDPRonthebasisofitsArticle 3(2),theywillnotbesubjecttotheonestopshopmechanism.Aprocessorforexample,alargecloud serviceprovidermayprovideservicestomultiplecontrollerslocatedindifferentMemberStates.In suchcases,theleadsupervisoryauthoritywillbethesupervisoryauthoritythatiscompetenttoactas leadforthecontroller.Ineffect,thismeansaprocessormayhavetodealwithmultiplesupervisory authorities.

3OTHERRELEVANTISSUES

3.1 Theroleofthesupervisoryauthorityconcerned

42. GDPRArticle4(22)saysthatthe:

supervisoryauthorityconcernedmeansasupervisoryauthoritywhichisconcernedbythe processingofpersonaldatabecause:(a)thecontrollerorprocessorisestablishedontheterritory oftheMemberStateofthatsupervisoryauthority;(b)datasubjectsresidingintheMemberState ofthatsupervisoryauthorityaresubstantiallyaffectedorlikelytobesubstantiallyaffectedbythe processing;or(c)acomplainthasbeenlodgedwiththatsupervisoryauthority.

43. Theconceptofaconcernedsupervisoryauthorityismeanttoensurethattheleadsupervisory authoritymodeldoesnotpreventothersupervisoryauthoritieshavingasayinhowamatterisdealt withwhen,forexample,individualsresidingoutsidetheleadsupervisoryauthoritysjurisdictionare substantiallyaffectedbyadataprocessingactivity.Intermsoffactor(a)above,thesame considerationsasforidentifyingaleadsupervisoryauthorityapply.Notethatin(b)thedatasubject mustmerelyresideintheMemberStateinquestion;theydonothavetobeacitizenofthatState.It willgenerallybeeasyin(c)todetermineasamatteroffactwhetheraparticularsupervisory authorityhasreceivedacomplaint.

44. Article56,paragraphs(2)and(5)GDPRprovideforaconcernedsupervisoryauthoritytotakearolein dealingwithacasewithoutbeingtheleadsupervisoryauthority.Whenaleadsupervisoryauthority decidesnottohandleacase,theconcernedsupervisoryauthoritythatinformedtheleadsupervisory authorityshallhandleit.ThisisinaccordancewiththeproceduresinArticle61(Mutualassistance) andArticle62(Jointoperationsofsupervisoryauthorities)GDPR.Thismightbethecasewherea marketingcompanywithitsmainestablishmentinParislaunchesaproductthatonlyaffectsdata subjectsresidinginPortugal.Insuchacase,theFrenchandPortuguesesupervisoryauthoritiesmight agreethatitisappropriateforthePortuguesesupervisoryauthoritytotaketheleadindealingwith thematter.Supervisoryauthoritiesmayrequestthatcontrollersprovideinputintermsofclarifying theircorporatearrangements.Giventhattheprocessingactivityhasapurelylocaleffecti.e.on

Adoptedversionforpublicconsultation 11 2.3

individualsinPortugaltheFrenchandPortuguesesupervisoryauthoritieshavethediscretionto decidewhichsupervisoryauthorityshoulddealwiththematterinaccordancewithRecital127GDPR

45. TheGDPRrequiresleadandconcernedsupervisoryauthoritiestocooperate,withduerespectfor eachothersviews,toensureamatterisinvestigatedandresolvedtoeachauthorityssatisfaction andwithaneffectiveremedyfordatasubjects.Supervisoryauthoritiesshouldendeavourtoreacha mutuallyacceptablecourseofaction.Theformalconsistencymechanismshouldonlybeinvoked wherecooperationdoesnotreachamutuallyacceptableoutcome.

46. Themutualacceptanceofdecisionscanapplytosubstantiveconclusions,butalsotothecourseof actiondecidedupon,includingenforcementactivity(e.g.fullinvestigationoraninvestigationwith limitedscope).ItcanalsoapplytoadecisionnottohandleacaseinaccordancewiththeGDPR,for examplebecauseofaformalpolicyofprioritisation,orbecausethereareotherconcernedauthorities asdescribedabove.

47. Thedevelopmentofconsensusandgoodwillbetweensupervisoryauthoritiesisessentialtothe successoftheGDPRscooperationandconsistencyprocedures

3.2 Localprocessing

48. LocaldataprocessingactivitydoesnotfallwithintheGDPRscooperationandconsistencyprovisions. Supervisoryauthoritieswillrespecteachotherscompetencetodealwithlocaldataprocessingactivity onalocalbasis.Processingcarriedoutbypublicauthoritieswillalwaysbedealtwithonalocalbasis, too.

3.3 CompaniesnotestablishedwithintheEEA

49. TheGDPRscooperationandconsistencymechanismsonlyapplytocontrollerswithanestablishment, orestablishments,withintheEEA.IfacompanydoesnothaveanestablishmentintheEEA,themere presenceofarepresentativeinaMemberStatedoesnottriggertheonestopshopprinciple.This meansthatcontrollerswithoutanyestablishmentintheEEAmustdealwithlocalsupervisory authoritiesineveryMemberStatetheyareactivein,throughtheirlocalrepresentative.

FortheEuropeanDataProtectionBoard

TheChair (AndreaJelinek)

Adoptedversionforpublicconsultation 12

inmorethanoneMemberState.

orprocessorssingleestablishmentintheEEA,but:

State.

establishmentinasingleMemberState.Thisisbylogicthecontrollerorprocessorsmain establishmentbecauseitisitsonlyestablishment.

Adoptedversionforpublicconsultation 13 ANNEX QUESTIONSTOGUIDETHEIDENTIFICATIONOFTHELEAD SUPERVISORYAUTHORITY 1 Isthecontrollerorprocessorcarryingoutthecrossborderprocessingofpersonal data? a. Yes,if:  ThecontrollerorprocessorisestablishedinmorethanoneMemberState,and  Theprocessingofpersonaldatatakesplaceinthecontextoftheactivitiesofestablishments
Inthiscase,gotosection2. b. Yes,if:  Theprocessingofpersonaldatatakesplaceinthecontextoftheactivitiesofacontroller
 SubstantiallyaffectsorislikelytosubstantiallyaffectindividualsinmorethanoneMember
Inthiscase,theleadsupervisoryauthorityistheauthorityforthecontrollerorprocessorssingle
2 Howtoidentifytheleadsupervisoryauthority a. Inacaseinvolvingonlyacontroller: i. IdentifythecontrollersplaceofcentraladministrationintheEEA; ii. Thesupervisoryauthorityofthecountrywheretheplaceofcentraladministrationislocatedis thecontrollersleadsupervisoryauthority. However: iii. Ifdecisionsonthepurposesandmeansoftheprocessingaretakeninanotherestablishmentin theEEA,andthatestablishmenthasthepowertoimplementthosedecisions,thenthelead supervisoryauthorityistheonelocatedinthecountrywherethisestablishmentis. b. Inacaseinvolvingacontrollerandaprocessor: i. CheckifthecontrollerisestablishedintheEEAandsubjecttotheonestopshopsystemIfso, ii. Identifytheleadsupervisoryauthorityofthecontroller.Thisauthoritywillalsobethelead supervisoryauthorityfortheprocessor. iii. The(nonlead)supervisoryauthoritycompetentfortheprocessorwillbeaconcerned supervisoryauthorityseesection3below. c. Inacaseinvolvingonlyaprocessor: i. IdentifytheprocessorsplaceofcentraladministrationintheEEA;
Adoptedversionforpublicconsultation 14 ii. IftheprocessorhasnocentraladministrationintheEEA,identifytheestablishmentintheEEA wherethemainprocessingactivitiesoftheprocessortakeplace. d. Inacaseinvolvingjointcontrollers: i. CheckifthejointcontrollersareestablishedintheEEA. ii. IdentifytheplaceofcentraladministrationintheEEAforeachjointcontrollerrespectively (whereapplicable); iii. Thesupervisoryauthorityofthecountrywheretheplaceofcentraladministrationislocatedis theleadsupervisoryauthorityoftherespectivejointcontroller. 3 Arethereanyconcernedsupervisoryauthorities? Anauthorityisaconcernedauthority:  Whenthecontrollerorprocessorhasanestablishmentonitsterritory,or:  Whendatasubjectsonitsterritoryaresubstantiallyaffectedorlikelytobesubstantially affectedbytheprocessing,or:  Whenacomplaintisreceivedbyaparticularsupervisoryauthority.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.