Which supervisory authority is competent after Brexit?

Brexit may have an impact on which supervisory data protection authority is competent for one or more of your data processing activities. After Brexit this will depend on whether you perform cross-border processing, and where you are established.

6.1. How to identify cross-border processing activities?

The GDPR identifies two situations for cross-border processing activities: 

• The first situation is when processing is carried out in the context of the activities of establishments of a controller in more than one EEA Member State, or when the controller is established in more than one Member State. 
• The second situation is when the processing is carried out in the context of the activities of a single establishment of a controller, but which substantially affects - or is likely to substantially affect - data subjects in more than one Member State. This criterion must be interpreted on a case-by-case basis. [1]

In case of a cross-border processing, the GDPR’s one-stop shop mechanism will apply, so that one supervisory authority will be competent for that cross-border processing (the lead supervisory authority).

6.2. What does the one-stop shop mechanism mean?

The one-stop shop mechanism applies in case of cross-border processing. It is a cooperation mechanism between national supervisory authorities. It allows organisations involved in cross-border processing to have a single interlocutor for the control of such processing activities.

Cross-border data protection cases typically arise when the processing of personal data takes place in the context of activities of an organisation in more than one EEA Member State. In such situation several supervisory authorities may be competent. To avoid any inconsistencies, one of them should take the lead. This lead authority will have the responsibility of dealing with the organisation regarding its cross-border processing activities.

Upon a no-deal Brexit, the UK’s supervisory authority (the ICO), will be taken out of the one-stop shop mechanism.

6.3. How to identify the competent lead supervisory authority?

Identifying the lead supervisory authority is based on the main establishment of the data controller, which is the place of central administration in the EEA, unless a different branch has the power to take such decision. 

The following elements should be taken into consideration to identify the lead supervisory authority:

• Where are the decisions concerning purposes and means of processing given the final “sign off’?
• Where is the place where decisions on company activities involving data processing are taken?
• Where does the effective implementation power of decision regarding the processing lie?
• Where are the directors with overall management responsibilities located?
• Where is the company registered?

In most cases, the main establishment will be the central administration, where the decision about the purpose and means of cross-border processing are taken and where the power to implement such decision lies.

This cooperation between national supervisory authorities is one of the means implemented by the GDPR to ensure a coherent interpretation and implementation of the European rules throughout the Union. 

If the ICO is currently your supervisory authority, your course of action will vary depending on whether your company has establishments in the EEA. While the ICO has announced that it intends to keep on collaborating with European supervisory authorities, upon Brexit it will no longer be part of the one-stop shop mechanism and will be an independent supervisory authority. 

Consequently, you should reconsider which is your lead supervisory authority, or whether you have one at all in the EEA. In the case of a no-deal Brexit, controllers established in the UK will need to consider the following:

• What is the country of central administration?
• Where are the main decisions about data processing activities taken?
• Where do the main processing activities take place?

If you cannot identify a main establishment in the EEA, you probably will have to designate a representative in the EEA.

6.4. When do you need to appoint a representative?

If you are a controller and processor without an establishment in the EEA upon a no-deal Brexit, you must designate a representative in the EEA when you process personal data of data subjects who are in the EEA to offer them goods and services or to monitor their behaviour, as far as it takes place in the EEA. 

The designated representative must be established in one of the Member States where the data subjects, whose data are processed, are. The representative is mandated to be addressed by data subjects and supervisory authorities for GDPR compliance purposes. 

6.5. What does the representative do?

The representative is acting on behalf of the controller or processor established outside of the EEA. He or she can be contacted by the supervisory authority.

The representative must maintain a record of processing activities. The representative must also cooperate with any supervisory authority asking for any information necessary for the performance of its tasks.

Related

This article ends a serie of 6 articles about Brexit:

1. Do I have to take into account the GDPR after Brexit?
2. How to identify whether your processing activities are impacted by Brexit?
3. Which personal data transfer mechanisms can you use?
4. How to implement a personal data transfer mechanism?
5. How to update your privacy policy and internal documents?
6. Which supervisory authority is competent after Brexit?

[1] Article 29 Data Protection Working Party, WP 244 rev.01, Guidelines for identifying a controller or processor ‘s lead supervisory authority.