Processing involving several EU countries
If your organisation operates in more than one EU country, you need to find out which country’s supervisory authority you are meant to deal with. This data protection authority is called the lead supervisory authority.
The lead authority coordinates the supervision of the processing of personal data with other supervisory authorities concerned. This means that organisations usually only need to deal with one supervisory authority even if their activities have links to several EU countries. This arrangement is known as a one-stop-shop mechanism.
Cross-border processing means either
- processing of personal data which takes place in establishments in more than one EU Member State where the controller or processor is established in more than one Member State orprocessing of personal data which takes place in a single
- establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Substantial effects include
- effects on human health, well-being and peace of mind
- effects on a person’s financial position or circumstances
- subjecting people to discrimination and unfair treatment
- damage, losses, anxiety, suffering and worry
- shame and damage to reputation
- substantial changes in behaviour
- unexpected unwanted consequences
- restriction of rights or loss of opportunities
- processing of sensitive or derogatory personal data or children’s personal data
- processing of personal data on a large scale.
How do I identify the lead supervisory authority?
The lead supervisory authority is usually determined on the basis of the controller’s main establishment. If your organisation’s main establishment is in Finland, the authority responsible for supervising the processing of personal data is usually the Finnish Data Protection Ombudsman.
The main establishment of controllers with establishments in several EU countries is the place of their central administration, except where the decisions on the purposes and means of the processing of personal data are taken in another establishment and that establishment has the power to implement such decisions, in which case that establishment is considered to be the controller’s main establishment. It is the responsibility of controllers to provide unambiguous information on where decisions on the purposes and means of processing personal data are taken.
If a controller has several establishments where decisions on the purposes and means of processing personal data are taken, the controller has several lead supervisory authorities. In such cases, the lead supervisory authorities are chosen on the basis of where decisions on cross-border processing operations are taken. Organisations that want to take advantage of the one-stop-shop mechanism can centralise all their decision-making powers relating to the processing of personal data in a single establishment, in which case all cross-border processing of the organisation’s personal data can be supervised by a single authority.
The one-stop-shop mechanism can also benefit processors that have establishments in more than one EU Member State. A processor’s main establishment is the place of its central administration in the EU. In the case of processors that do not have central administration in the EU, the lead supervisory authority is determined on the basis of the establishment in the EU where most of the processing of personal data takes place.
Where there is both a controller and a processor involved, the competent lead supervisory authority is the controller’s lead supervisory authority. In such cases, the processor’s lead supervisory authority is a so-called supervisory authority concerned, which must cooperate with the competent lead supervisory authority.
The data protection authorities of other EU countries contribute to the supervision coordinated by the lead supervisory authority as supervisory authorities concerned if
- the controller or processor in question is established on the territory of the Member State of that supervisory authority
- data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing or
- a complaint has been lodged with that supervisory authority.