What you need to know.

Enforcement of the General Data Protection Regulation (‘GDPR’) is conducted by the national supervisory authorities. Although it was initially proposed to create a European supervisory authority, the Member States never reached political agreement on this.

For companies that are active in several Member States of the European Economic Area ('EEA'), the question immediately arises as to precisely which national supervisory authority is competent. They should (proactively) verify this so that they register their data protection officer (‘DPO’) with the proper authority(ies), can report data breaches correctly and know which authority to contact in the context of a preliminary consultation for high-risk processing activities. Determining the competent national supervisory authority(ies) is therefore not a matter of waiting but forms an integral part of proper compliance with the GDPR.

When there are cross-border processing operations, and therefore several national supervisory authorities are concerned (Article 4, paragraph 22 GDPR), the GDPR provides for a “one-stop-shop mechanism”. Based on this system, a single authority must be designated as the "lead supervisory authority" which in principle is solely competent for the processing(s) concerned. The European Data Protection Board (‘EDPB’) has published guidelines (available in French) to determine this “lead supervisory authority”. This does not alter the fact that this lead supervisory authority still must cooperate with the various other supervisory authorities concerned in accordance with the cooperation mechanism provided for in Article 60 GDPR.

The one-stop-shop mechanism only applies if the company concerned has at least one establishment within the EEA. When a company does not have any establishment within the EEA, but still falls under the territorial scope of the GDPR (e.g. because it offers its goods and services to persons within the EEA), all supervisory authorities of all Member States where the company operates are competent.

What you need to do.

You will first have to determine whether your company has cross-border processing activities. That is automatically the case if your company has establishments in several EEA Member States that process personal data. Cross-border processing activities also exist when your company is only established in a single EEA Member State but its processing activities have an impact on data subjects in several such States (e.g. because your company offers goods or services in EEA Member States other than the one in which it is established).

Thus, if your company is only established in one EEA Member State and its processing activities have an impact exclusively on data subjects in that Member State, in principle only the national supervisory authority of that Member State is competent. That is the supervisory authority to whom your company should turn, for example, to register its DPO.

On the other hand, if your company does have cross-border processing activities, you must determine the lead supervisory authority in accordance with the one-stop-shop mechanism. The supervisory authority of the EEA Member State where your company has its main establishment is the lead supervisory authority.

For controllers, this is the place where the central administration in the EEA is located, unless the decisions about the purposes and means of the processing(s) are taken and carried out by a different establishment within the EEA. In concrete terms, you must check where decisions are made about the various processing activities. Take the example of a corporate group with a centralised HR administration at the main establishment in Brussels and branches in Sweden and Spain that are locally responsible for all marketing. In this example, the Belgian supervisory authority will be the lead supervisory authority for the HR-related processing operations and the Swedish and Spanish supervisory authorities respectively for the marketing-related processing operations by the Swedish and Spanish branches.

It is possible that your company's main establishment is located outside the EEA, but that it does have some local establishments within the EEA. In this case, the EDPB recommends that the establishment within the EEA that has the authority to implement the decisions on the processing activity and to take liability for the processing, including having sufficient assets, be designated as the main establishment. If not, no lead supervisory authority can be designated and the one-stop-shop mechanism cannot function.

For processors, the arrangement is somewhat different. For processing operations that your company carries out as a processor, the main establishment is the place where your central administration in the EEA is located, or, if you do not have a central administration in the EEA, the establishment in the EEA where your main processing activities take place.

Finally, in the context of a joint processing activity, it is important to agree which establishment qualifies as the main establishment. This should be an establishment that implements the decision in respect of all joint controllers.