EDPB Provides Guidance on Determining Primary Supervisory Authority
Tuesday, February 27, 2024
Primary Supervisory Authority Determination Guidance from EDPB
Print Mail Download i

This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.

The “lead supervisory authority” benefit has been referred to as the “one-stop-shop mechanism.” As might be imagined, both companies and supervisory authorities have a strong interest in understanding how to establish if a company has a “lead” supervisory authority. This month the EDPB issued an opinion intended to guide supervisory authorities in how to decide if a multinational qualifies for a lead supervisory authority. Two key criteria must be met:

  1. The operations in the EU country in question must be where the company makes decisions about the “purpose and means of processing” personal information.
  2. That EU operation must have the power to implement those decisions.

The EDPB stated in its opinion that if decisions and power to implement the decisions are “exercised outside of the [European] Union” (emphasis added) then there can be no EU lead supervisory authority (opinion, executive summary). The burden of proof, the EDPB noted, is on the company, which must cooperate with the supervisory authority that is attempting to determine if it should be viewed as the “lead.” While the existence of a regional headquarters in the country in question may suggest that the country is the lead, it is not dispositive evidence. The supervisory authority will still, the EDPB clarified, still need to look at the full evidence.

Putting It Into Practice: This opinion, although reiterating what is already in GDPR itself (Art 4(16)(a)), demonstrates the EDPB’s focus on supporting cooperation and streamlining between EU member state privacy authorities. Multinational companies, especially those with operations outside of the EU, should keep in mind the decision making and implementation criteria outlined in the EDPB’s opinion.

Listen to this post here

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

CFPB Announces Update in Continued War on Mortgage Servicing Junk Fees
by: A.J. S. Dhaliwal , Mehul N. Madia
Kansas Enacts Earned Wages Access Law
by: A.J. S. Dhaliwal , Mehul N. Madia
New York Broadly Revises Hospital Financial Assistance, Medical Debt Collection and Related Requirements
by: Carmen Jule
Utah’s New AI Disclosure Requirements Effective May 1
by: Liisa M. Thomas , Kathryn Smith
The CPPA Signals Focus on Data Minimization and Consumer Requests
by: Brittany Walter
Nebraska Fourth State to Enact Privacy Law in 2024
by: Liisa M. Thomas , Kathryn Smith
Solving for Physician Burnout: Creating a Culture of Psychological Safety
by: Kathleen M. O'Neill , Samantha Young
CMS Finalizes Federal Minimum Staffing Standards for Nursing Homes
by: Lourdes Martinez , Gregory R. Smith
New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors
by: Townsend L. Bourne , Jordan Mallory
FTC Votes to Ban Noncompete Agreements
by: John D. Carroll , Leo Caseria

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins