GDPR and Relevant Supervisory Authority

Transcript of the Video

Good afternoon ladies and gentleman, Suzanne Dibble here. Data protection law expert coming to you raw and uncut from a hot and sweaty Singapore, although I have to say, there is air con in here and it's absolutely lovely after a day outside. I'm hoping you can hear me okay with this rather second-rate headphones after losing my Apple one so hope you can hear me. I just wanted to do a quick video for you in answer to a question that I've just seen in the group, which was a great question and one that I've not addressed, which is always good because I've done a lot of videos now so it's running out of topics to do.

But this was a question about which is the relevant supervisory authority for the purposes of data protection and this particular lady, I think had moved her business to France and so was asking does the ICO, the English Supervisory Authority, the Information Commissioner's Office apply or would it be the French Data Protection Authority?

 I want to just do this quick video for those of you who are in a similar position or for those of you who have a number of group entities in the EU or even possibly outside of the EU. Okay, so what are the rules on this? Okay, well hopefully for most of you it's a fairly easy question and answer. If you've got one company and you're in the UK, then you'll need the Supervisory Authority as the ICO in the UK.

If you don't have, then what is the answer? Okay, well what we need to look at is the main establishment. Where is your main establishment or if you've got a single establishment, a single company that obviously that's going to be your main establishment. If you've got more than one, which is the main establishment? Sorry, recital 36 offers us a little bit of guidance as to what a main establishment actually means.

The main establishment should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. I don't know what stable arrangements mean but it's really the place where if you've got a Board of Directors where they are based, where is that real decision-making activity taking place.

The criterion should not depend on whether the processing of personal data is actually carried out at that location. Okay, so that location doesn't actually have to be processing data, it's where the decision-making is being taken. The further guidance says that the presence and use of technical means and technologies for processing personal data or processing activities do not in themselves constitute the main establishment and therefore, not determining criteria for the main establishment.

The main establishment should be the place of its central administration in the union or if it has no central administration in the union, the place where the main processing activities take place in the union. Okay, so if you have a head office outside of the EU, then the main establishment for your purposes (i.e. the establishment where the country is relevant for the purposes of working out who is your lead supervisory authority) you need to identify the place where the main processing activities are taking place.

Now is it possible to choose your lead authority under the GDPR? You might say well, why would I want to do that? Well, it is the case that some data protection authorities are, shall we say, more lenient than others, although you didn't hear it from me. Say, for example, the German data protection authority is known to not be quite so lenient as some others. For example, certainly, the multinationals that will choose the Irish Data Protection Authority because they're just a bit easier to deal with quite frankly.

I know probably for the majority of people in this group, your single establishment companies, you don't have a group or companies, but for those of you who are, it might be worth thinking about that because what GDPR also says is that the main establishment of a controller is the place of central administration in the EU unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the EU that has the power to have such decisions implemented in which case that is the location of the main establishment. Okay, so it is possible but it's not the place of central administration if you have another entity that is making key decisions about processing personal data.

Okay, so it's also possible actually to have more than one lead supervisory authority. If, for example, you've got a Danish company that has central administration in Copenhagen and branches across Europe, but it manages and takes decisions about all of its employee data from Paris, then it will have as one lead supervisory authority, it will have the French Supervisory Authority just purely for the employee data, but then it will also have the Danish Supervisory Authority as the lead for all of the types of data.

For most of you, as I said it's going to be a very easy question and answer about who is your supervisory authority. If you're a single entity within the UK, then it's going to be the Information Commissioner's Office. If you have more than one entity across the EU, then you need to pay a little bit more attention to that.

I hope that's helpful. I'll leave it there because we're just about to go out for a nice Singaporean dinner and I shall catch you soon.