WP29: identifying a lead supervisory authority

Homepage | News

Lead Authority, Investigation Coordinator

The WP29 adopted the guidelines for identifying a controller or processor’s lead supervisory authority.

In these guidelines, the WP29 recalled that identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines “cross-border processing” as either the:

  • processing of personal data which takes place in the context of the activities of a controller or processor of establishments in more than one Member State in the Union where the controller or processor is established in more than one Member State; 
  • or the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

The WP 29 also specified the concept “substantially affects” implies that processing concerns data subjects in several Member States and has an impact on them. “The intention of the wording was to ensure that not all processing activity, with any effect and that takes place within the context of a single establishment, falls within the definition of ‘cross-border processing.

Supervisory Authorities will interpret “substantially affects” on a case by case basis.

The test of ‘substantial effect’ is intended to ensure that supervisory authorities are only required to co-operate formally through the GDPR’s consistency mechanism “where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States” (Recital 135).

The WP 29 also defined the scope of the notion of “lead supervisory authority” “which is the authority with the primary responsibility for dealing with a cross-border data processing activity”. The lead supervisory authority coordinates any investigation, involving other’ concerned’ supervisory authorities.

The obligation to identify the lead authority in the case of multiple establishments in the Union involves determining the location of the main establishment of the controller or the processor concerned. The latter is in principle the place of the central administration, except, in the case of a controller, that decisions on the purposes and means are taken by another establishment or, in the case of a processor, that the main activities of the processing are carried out by another establishment.