One-stop shop for cross-border data protection in the EU

Written by Mahault Piéchaud Boura on , in category Privacy & data protection

EDPBOn July 19th the European Data Protection Board (EDPB) met in Brussels to discuss cross border cooperation and consistency procedures.  

The EDPB was established by the GDPR and started its activities the 25 May 2016, when the GDPR became applicable. The EDPB’s missions are to ensure the consistent application of data protection rules throughout the European Union and  to promote cooperation between national data protection authorities. The Board is composed of the heads of the national authorities as well has the head of the European data protection supervisor, which is the equivalent of the national authorities but for the European institutions. One of the tasks of the EDPB is to adopt consistency decisions and opinions about cross boarder data protection.

What is the one-stop shop mechanism and what is its purpose?

The one-stop shop mechanism applies in case of cross border processing. It is a cooperation mechanism between national supervisory authorities. It allows organisations involved in cross border processing to have a single interlocutor for the control of such processing activities.

Cross border data protection cases typically arise when the processing of personal data takes place in the context of activities of an organisation in more that one EU Member State. In such situation several supervisory authorities may be competent. To avoid any inconsistencies, one of them should take the lead. This lead authority will have the responsibility of dealing with the organisation regarding its cross-border processing activities.

How to identify cross-border processing?

The GDPR identifies two situations of cross border processing. The first is when processing intervenes in the context of activities of establishments in more than one member State of a controller, or when the controller is established in more than one Member State. The second situation is when the processing intervenes in the context of activities of a single establishment of a controller, but which substantially  affects - or is likely to substantially affect - data subjects in more than one Member State. This criterion must be interpreted on a case by case basis. [1]

How to identify the competent lead supervisory authority?

The identification of the lead supervisory authority is based on the main establishment of the data controller. The notion of main establishment is defined in the GDPR “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”. [2] In practice this will mean the central administration, where the decision about the purpose and means of cross border processing are taken and where the power to implement such decision lies.

As an example, a bank is established in country A, this is where its corporate headquarter is.  All the banking activities are managed from the headquarter. But all insurance activities are managed from a  branch in country B. The branch in country B decides on the modalities of data processing and implements these decisions. By applying the main establishment criteria it can be determined that the branch in country B is the data controller for insurance activities. Consequently the supervisory authority in country B will be the lead data protection authority for the  insurance activities of the bank, but the data protection authority in country A will remain the lead authority for the banking activities of the bank.

However, the notion of central administration is not always applicable. In order to identify which is the lead supervisory authority the following elements should be taken into consideration [3]:

  • Where are the decisions concerning purposes and means of processing given the final ‘sign off’?
  • Where is the place where decisions on business activities involving data processing are taken?
  • Where does the effective implementation power of decision regarding the processing lie?
  • Where are the directors with overall management responsibilities located?
  • Where is the company registered?

This cooperation between national supervisory authorities is one of the means implemented by the GDPR to ensure a coherent interpretation and implementation of the European rules throughout the Union. Still the European legislator also designed a centralised mechanism to ensure the coherence of the framework, this is the consistency mechanism, which is organiser around the European Data Protection Board.

What is the consistency mechanism?

To ensure a coherent interpretation and implementation of the European data protection rules the European Data Protection Board provides opinions. In certain situations these opinions are mandatory, this means supervisory authorities must communicate draft decisions to the Board, who will issue an opinion, i.e. for the approbation of Binding Corporate Rules, or of a Code of Conduct. However sometimes national data protection may request an opinion on a specific topic.

Some decisions of the Board are binding, notably when there is uncertainty on which national authority would be competent to be the Lead Supervisory authority, or when a national authority does not follow an opinion of the Board. In such situation another supervisory authority concerned may refer the situation to the Board in the frame the dispute resolution mechanism. The decision of the Board will be binding to ensure a coherent implementation of the GDPR in the different EU Member States.

[1] Article 29 Data Protection Working Party, WP 244 rev.01, Guidelines for identifying a controller or processor ‘s lead supervisory authority.

[2] Article 4(16)(a) GDPR

[3] Article 29 Data Protection Working Party, WP 244 rev.01, Guidelines for identifying a controller or processor ‘s lead supervisory authority.