The lead authority under the GDPR
The concept of a lead supervisory data protection authority (the “Lead Authority”) facilitates monitoring cross-border processing or processing that relates to persons in more than one member state by a ‘one-stop’ authority.
Businesses engaged in cross-border processing activities may identify their Lead Authority depending on the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.
While designating a Lead Authority is not mandatory under the GDPR, the benefit of doing so in terms of coordination and efficiency makes it an important tool for persons and businesses engaging with ‘cross-border processing’ activities in multiple member states that may potentially become the subject of investigation.
The Lead Authority will coordinate any investigation and can involve other concerned national supervisory authorities. In this context, the Lead Authority may cooperate and exchange information and liaise with such national authorities. The Lead Authority submits any draft decision to the other concerned national supervisory authorities.
From the perspective of a controller or processor, the Lead Authority is the main point of contact concerning the underlying ‘cross-border processing’ activity.
Cross-border processing
The Lead Authority is the authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of their personal data.
‘Cross-border processing’ is defined under Article 4(23) of the GDPR as either:
- “processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State”.
“Substantially affects” is interpreted on a case by case basis and depends on various factors including, amongst others, the type of data, the purpose of the processing and the cause or risk of damage, loss or distress to the individual.
Determining the Lead Authority
The GDPR provides that “the supervisory authority of the main establishment or of the single establishment of the controller or processor” is competent to act as the Lead Authority.
The term ‘main establishment’ is defined under Article 4(16) of the GDPR as follows:
- “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation”;
Guidance published by the Article 29 Working Party, subsequently adopted by the European Data Protection Board (the “EDPB”), sets out a non-exhaustive list of factors for determining the controller’s main establishment. These factors include the following:
- the place where decisions on the purposes and means of processing are given final sign-off
- the place where decisions about business activities that involve data processing are made
- the place where the power to have decisions implemented effectively lies
- the location of the Director/Directors with overall management responsibility for the ‘cross-border processing’ activity
- the place where the controller or processor are registered as a company, if in a single territory.
Practical and commercial aspects
The Lead Authority constitutes a “one-stop” contact for data controllers and processors and an efficient mechanism for complying with the GDPR, particularly for large corporations with EU-wide and worldwide establishments.
Nevertheless, it should be noted that the Lead Authority concept has been designed to prevent abuse and ‘forum-shopping’ is not permitted under the GDPR.
As such, where a business claims to have its main establishment in one EU member state, without having any effective or actual exercise of management or decision-making over the processing of personal data taking place in that specific member state, then the Lead Authority will be decided by the supervisory authorities involved (or ultimately, by the EDPB) using objective criteria and based on the available evidence.
Main establishments in Cyprus
A plethora of multinational groups active in a wide range of industries, both within and outside the EU, have their headquarters in Cyprus. This is often the case as a result of establishing Cyprus holding companies to hold the group’s subsidiaries, due to the following reasons, amongst others:
- Cyprus taxes profits at 12.5% and taxation on outgoing dividends can be 0%
- Cyprus has signed more than 60 tax treaties (including with the UK, the US and Russia), which help ensure that Cyprus-based companies avoid double taxation
- Cyprus is an attractive destination for technology companies.
As such, Cyprus establishments of multinational corporations often carry out decision-making vis-à-vis personal data processing in Cyprus. The Commissioner for the Protection of Personal Data (the “DPC”) may accordingly be identified as the Lead Authority for a business that is a controller or processor and the main establishment or the single establishment of which is in Cyprus.
The DPC is the independent authority in Cyprus responsible for monitoring the application of the GDPR and Cypriot data protection laws. The DPC is tasked with protecting the fundamental rights and freedoms of natural persons concerning processing and to facilitate the free flow of personal data.
Drawing on the framework concerning the Lead Authority, whether the DPC will be the Lead Authority for a group which has a main establishment in Cyprus will depend on a range of factors which will determine if the effective or actual exercise of management or decision-making over the processing of personal data takes place in Cyprus.
Contact us to discuss your precise requirements.