Processing involving several EU countries
If your organisation operates in more than one EU country, you need to find out which country’s supervisory authority you are meant to deal with. This data protection authority is called the lead supervisory authority.
The lead authority coordinates the supervision of the processing of personal data with other supervisory authorities concerned. This means that organisations usually only need to deal with one supervisory authority even if their activities have links to several EU countries. This arrangement is known as a one-stop-shop mechanism.
How do I identify the lead supervisory authority?
The lead supervisory authority is usually determined on the basis of the controller’s main establishment. If your organisation’s main establishment is in Finland, the authority responsible for supervising the processing of personal data is usually the Finnish Data Protection Ombudsman.
The main establishment of controllers with establishments in several EU countries is the place of their central administration, except where the decisions on the purposes and means of the processing of personal data are taken in another establishment and that establishment has the power to implement such decisions, in which case that establishment is considered to be the controller’s main establishment. It is the responsibility of controllers to provide unambiguous information on where decisions on the purposes and means of processing personal data are taken.
If a controller has several establishments where decisions on the purposes and means of processing personal data are taken, the controller has several lead supervisory authorities. In such cases, the lead supervisory authorities are chosen on the basis of where decisions on cross-border processing operations are taken. Organisations that want to take advantage of the one-stop-shop mechanism can centralise all their decision-making powers relating to the processing of personal data in a single establishment, in which case all cross-border processing of the organisation’s personal data can be supervised by a single authority.
The one-stop-shop mechanism can also benefit processors that have establishments in more than one EU Member State. A processor’s main establishment is the place of its central administration in the EU. In the case of processors that do not have central administration in the EU, the lead supervisory authority is determined on the basis of the establishment in the EU where most of the processing of personal data takes place.
Where there is both a controller and a processor involved, the competent lead supervisory authority is the controller’s lead supervisory authority. In such cases, the processor’s lead supervisory authority is a so-called supervisory authority concerned, which must cooperate with the competent lead supervisory authority.