Cross-border processing and the one stop shop
The GDPR provides a new mechanism, the one stop shop (OSS), that will be in place from 25 May 2018 for organisations that are established in the European Union and that are engaged in cross-border processing of personal data. Read this guide to learn more about the OSS, and how it will apply to your organisation.
- The OSS will allow your organisation to deal with a single lead supervisory authority (LSA) for most of your processing activities.
- For the OSS to apply to your organisation, it must be established in the EU and be engaged in cross-border processing.
- If your organisation is established in the EU and is engaged in cross-border processing, you should determine the location of your main establishment.
- The supervisory authority of the EU Member State where your main establishment is located will be the lead supervisory authority (LSA) for your organisation’s processing activities.
- Guidelines are available from the EU Article 29 Working Party to help you to identify your LSA (further information below).
About cross-border processing
The GDPR defines cross-border processing as either:
- Processing of personal data which takes place in the context of the activities of an organisation in more than one Member State where that organisation is established in more than one Member State,
- Processing of personal data which takes place in the context of the activities of an organisation’s single establishment but where that processing substantially affects or is likely to substantially affect data subjects in more than one Member State.
What is meant by ‘substantially affects’ will depend on the nature of the processing activities your organisation is engaged in. If necessary, your LSA will make a determination of what constitutes a substantial effect on a case by case basis.
You must engage in cross-border processing as described above for the OSS to be applicable to your organisation. If your organisation is not engaged in cross-border processing, the OSS will not apply.
Once you have confirmed that your organisation is engaged in cross-border processing, your next step will be to determine the location of your main establishment.
Where is my organisation’s main establishment?
The process you will follow to determine your main establishment differs depending on whether your organisation is a data controller or a data processor.
A data controller is defined as:
- An organisation that determines, alone or jointly with others, the purposes and means of the processing of personal data.
A data processor is defined as:
- An organisation that processes personal data on a data controller’s behalf.
The key to determining your main establishment if you are a data controller is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.
If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment.
If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.
If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing.
If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.
This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.
The lead supervisory authority
The supervisory authority that will act as your LSA is the supervisory authority of the Member State where your organisation has its main establishment. Your LSA will have primary responsibility for dealing with your organisation’s processing activities and will be the supervisory authority that your organisation deals with in relation to its cross-border processing in most cases.
Your organisation’s engagement in cross-border processing means that supervisory authorities other than your LSA will also be concerned by your processing activities. Supervisory authorities, known in this context as supervisory authorities concerned (CSAs), will be concerned with your organisation’s processing activities where any of the following applies:
- Your organisation is established in the Member State of that supervisory authority,
- Data subjects residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by your organisation’s processing activities,
- A complaint regarding your organisation’s processing activities has been lodged with that supervisory authority.
Should your LSA be required to investigate your organisation’s cross-border processing activities, it will do so according to the GDPR’s cooperation and consistency procedures. In such investigations, your LSA will closely coordinate with the relevant CSAs as appropriate.
In most cases, you will be required to deal only with your LSA. However, in certain circumstances, a CSA and not your LSA will be competent to handle a case regarding your organisation’s processing activities. A CSA may request to handle a case where the subject matter either:
- Relates only to an establishment of your organisation in the CSA’s Member State,
- Substantially affects data subjects only in the CSA’s Member State.
If CSAs have conflicting views on your main establishment, it is open to them to challenge this and refer to the European Data Protection Board, which will make a binding decision on where your organisation’s main establishment is.
The Article 29 Working Party has issued guidelines that will aid your organisation in identifying where your main establishment is and therefore who your LSA is. These guidelines can be found on the Working Party’s website: http://ec.europa.eu/newsroom/document.cfm?doc_id=44102