06 February 2017 - Post by:Peter van Dyck
One of the key innovations of the upcoming General Data Protection Regulation (GDPR) is the so-called one stop shop principle. This principle aims to avoid companies that undertake cross-border processing of personal data finding themselves subject to a plurality of competent data protection authorities.
Concretely, the GDPR provides that the data protection authority in the country in which the company that undertakes the cross-border processing has its “main establishment”, will be competent to act as a lead supervisory authority for such company. This lead supervisory authority will coordinate actions regarding the cross-border processing activities.
Companies are recommended to identify their lead supervisory authority in advance. There was however some discussion on the interpretation of several key concepts of this one stop shop principle, including the concepts of “cross-border processing” and “main establishment”. On 13 December 2016, the Article 29 Working Party (WP29) issued Guidelines on the Lead Supervisory Authority, in which it clarifies these key concepts.
- Cross-border processing of personal data
As set out above, the one stop shop principle only applies where a company is undertaking “cross-border processing of personal data”.
This term is defined in the GDPR as meaning either that (i) a company processes personal data in the context of the activities of multiple establishments in the EU, or (ii) a company processes personal data in the context of activities of a single establishment in the EU, where such processing is likely to substantially affect data subjects in more than one EU country.
Most discussion has been focused on the second part of this definition, and in particular on the question when a processing is likely to “substantially affect” data subjects in more than one EU country.
According to the Guidelines, the term “substantially affect” must be looked at on a case by case basis. The number of data subjects involved in the processing is not decisive in this: even where a processing involves a large number of data subjects in multiple EU countries, this does not in itself mean that the processing is likely to substantially affect the data subjects.
Rather, to determine whether the processing is likely to substantially affect the data subjects, data protection authorities will take into account the type of data, the purpose of the processing and other factors such as whether the processing (i) is likely to cause, damage, loss or distress to individuals, (ii) involves the analysis of special categories of personal or other intrusive data and/or (iii) has unlikely, unanticipated or unwanted consequences for individuals.
- Main establishment
If a company engages in cross-border processing of personal data, the lead supervisory authority will be the data protection authority in which such company has its “main establishment”.
According to the GDPR, the main establishment for a controller is either (i) the place of its central EU administration, or (ii) if different, the establishment where the decisions, and implementation of decisions, on the purposes and means of the processing of personal data are taken. The test for processors is similar.
The Guidelines issued by the WP29 provide interesting guidance on how companies can establish their main establishment, including the following:
- it is the company itself that determines where its main establishment is and therefore which authority is the lead supervisory authority. However, the WP29 stresses that this decision can be challenged by the concerned authority afterwards. In particular, the WP29 is concerned about forum shopping, where companies would seek to establish their main establishment in countries with authorities that are deemed to be more flexible. The burden of proof ultimately falls on the company itself. Effective records of data processing activity would be helpful in this regard;
- there can be situations where more than one lead supervisory authority can be identified, i.e. where there are separate decision centres for different processing activities. This could for instance be the case if a bank has its corporate headquarters in Frankfurt (from which it organises all its banking processing activities), but has its insurance department in Vienna (from which it organises all its insurance processing activities) – in such case, the lead supervisory authority for the banking processing activities will be located in Germany, whereas the lead supervisory authority for the insurance processing activities will be located in Austria;
- there may be companies where decisions on the processing are taken exclusively outside the EU – i.e. companies that don’t have a central administration in the EU nor any establishment in the EU that takes decisions on the processing (referred to by the WP29 as “borderline cases”). The WP29 advises such companies to designate the EU establishment that will act as its main establishment. The WP29 states that the designated main establishment in the EU must have the authority to implement decisions about the processing activity and to take liability for the processing, which implies having sufficient assets. However, the WP29 does not specify how (contractually or otherwise) a company could ensure (and prove) that its designated main establishment meets these requirements. This leaves non-EU companies a choice. They can either choose to designate a main establishment in the EU, in which case they will be able to benefit from the one stop shop mechanism. Alternatively, they can choose not to designate a main establishment in the EU, in which case they will not benefit from the one stop shop mechanism and therefore be reliant on (and subject to) the local supervisory authorities in every European country they are active in. Again, authorities may question a company’s decision to designate a particular main establishment, in particular where they have the impression of forum shopping.
These Guidelines provide important guidance to companies that are preparing the implementation of the GDPR. The WP29 invited stakeholders to comment on these Guidelines before the end of January 2017, so we may see further iterations based on that feedback.