Insight

Identifying the Lead Data Protection Authority under the GDPR

Identifying the Lead Data Protection Authority under the GDPR

Anastasios Antoniou

Anastasios Antoniou

November 24, 2020 04:51 PM

The lead authority under the GDPR

The concept of a lead supervisory data protection authority (the “Lead Authority”) facilitates monitoring cross-border processing or processing that relates to persons in more than one member state by a ‘one-stop’ authority.

Businesses engaged in cross-border processing activities may identify their Lead Authority depending on the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.

While designating a Lead Authority is not mandatory under the GDPR, the benefit of doing so in terms of coordination and efficiency makes it an important tool for persons and businesses engaging with ‘cross-border processing’ activities in multiple member states that may potentially become the subject of investigation.

The Lead Authority will coordinate any investigation and can involve other concerned national supervisory authorities. In this context, the Lead Authority may cooperate and exchange information and liaise with such national authorities. The Lead Authority submits any draft decision to the other concerned national supervisory authorities.

From the perspective of a controller or processor, the Lead Authority is the main point of contact concerning the underlying ‘cross-border processing’ activity.

Cross-border processing

The Lead Authority is the authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of their personal data.

‘Cross-border processing’ is defined under Article 4(23) of the GDPR as either:

(i) “processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(ii) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State”.

Substantially affects” is interpreted on a case by case basis and depends on various factors including, amongst others, the type of data, the purpose of the processing and the cause or risk of damage, loss or distress to the individual.

Determining the Lead Authority

The GDPR provides that “the supervisory authority of the main establishment or of the single establishment of the controller or processor” is competent to act as the Lead Authority.

The term ‘main establishment’ is defined under Article 4(16) of the GDPR as follows:

(i) “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(ii) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation”;

Guidance published by the Article 29 Working Party, subsequently adopted by the European Data Protection Board (the “EDPB”), sets out a non-exhaustive list of factors for determining the controller’s main establishment. These factors include the following:

► the place where decisions on the purposes and means of processing are given final sign-off

► the place where decisions about business activities that involve data processing are made

► the place where the power to have decisions implemented effectively lies

► the location of the Director/Directors with overall management responsibility for the ‘cross-border processing’ activity

► the place where the controller or processor are registered as a company, if in a single territory.

Practical and commercial aspects

The Lead Authority constitutes a “one-stop” contact for data controllers and processors and an efficient mechanism for complying with the GDPR, particularly for large corporations with EU-wide and worldwide establishments.

Nevertheless, it should be noted that the Lead Authority concept has been designed to prevent abuse and ‘forum-shopping’ is not permitted under the GDPR.

As such, where a business claims to have its main establishment in one EU member state, without having any effective or actual exercise of management or decision-making over the processing of personal data taking place in that specific member state, then the Lead Authority will be decided by the supervisory authorities involved (or ultimately, by the EDPB) using objective criteria and based on the available evidence.

Main establishments in Cyprus

A plethora of multinational groups active in a wide range of industries, both within and outside the EU, have their headquarters in Cyprus. This is often the case as a result of establishing Cyprus holding companies to hold the group’s subsidiaries, due to the following reasons, amongst others:

► Cyprus taxes profits at 12.5% and taxation on outgoing dividends can be 0%

► Cyprus has signed more than 60 tax treaties (including with the UK, the US and Russia), which help ensure that Cyprus-based companies avoid double taxation

► Cyprus is an attractive destination for technology companies.

As such, Cyprus establishments of multinational corporations often carry out decision-making vis-à-vis personal data processing in Cyprus. The Commissioner for the Protection of Personal Data (the “DPC”) may accordingly be identified as the Lead Authority for a business that is a controller or processor and the main establishment or the single establishment of which is in Cyprus.

The DPC is the independent authority in Cyprus responsible for monitoring the application of the GDPR and Cypriot data protection laws. The DPC is tasked with protecting the fundamental rights and freedoms of natural persons concerning processing and to facilitate the free flow of personal data.

Drawing on the framework concerning the Lead Authority, whether the DPC will be the Lead Authority for a group which has a main establishment in Cyprus will depend on a range of factors which will determine if the effective or actual exercise of management or decision-making over the processing of personal data takes place in Cyprus.

16 November 2020

Christina McCollum
Solicitor (England and Wales) | Partner
Antoniou McCollum & Co.
T: +357 22 053333 | F: +357 22 053330
christina.mccollum@amc.law Ifigenia Iacovou
Advocate (Cyprus) | Senior Associate
Antoniou McCollum & Co.
T: +357 22 053333 | F: +357 22 053330
Ifigenia.iacovou@amc.law

Related Articles

Privacy Practice


by Casey Waughn

Data protection is all the rage among tech companies and state, national (and even transnational) governments alike. Is it a passing fad or here to stay? And how should businesses and groups of all sizes handle compliance with a blizzard of new laws?

Data Protection Prompt New Privacy Laws

New England States With Incoming Legislation


by Gregory Sirico

Best Lawyers takes an in depth look at newly proposed bills, litigation and cases coming out of four New England states.

New England Laws Taking Effect in 2022

Recent Developments on Privacy and Data Protection in Brazil


by Ricardo Barretto Ferreira da Silva and Camila Taliberti Ribeiro da Silva

A change of paradigm is urgent and requires a robust legislation on personal data protection.

Privacy and Data Protection Brazil

The Future of Data Privacy: You Can Run but You Can’t Hide (or Can You?)


by Chad W. King

In Ernest Cline’s dystopian novel "Ready Player One," the world’s population is addicted to a virtual reality game called the OASIS.

The Future of Data Privacy

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Trending Articles

The Best Lawyers in Spain™ 2023


by Best Lawyers

Announcing Spain's recognized lawyers for 2023.

Flag of Spain

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

The Best Lawyers in Chile™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms in Chile.

White star in blue box beside white box with red box on bottom

Thirteen Years of Excellence


by Best Lawyers

For the 13th consecutive year, “Best Law Firms” has awarded the most elite and talented law firms across the country through a thorough and trusted data review process.

Red, white and blue pipes and writing on black background

The 2023 Best Lawyers in Portugal™


by Best Lawyers

Announcing the elite group of lawyers recognized in Portugal for 2023.

Green and red Portuguese flag

The Best Lawyers in South Africa™ 2023


by Best Lawyers

Best Lawyers proudly announces lawyers recognized in South Africa for 2023.

South African flag

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

Announcing The Best Lawyers in Peru™ 2023


by Best Lawyers

Honoring our awarded lawyers for 2023 in Peru.

Red and white stripes with green leaf symbol

The Best Lawyers in Spain™ 2022


by Best Lawyers

The results include an elite field of top lawyers and firms.

The Best Lawyers in Spain™ 2022

Famous Songs Unprotected by Copyright Could Mean Royalties for Some


by Michael B. Fein

A guide to navigating copyright claims on famous songs.

Can I Sing "Happy Birthday" in Public?

IN PARTNERSHIP

Rewriting 𝙃𝙀𝙍𝙨𝙩𝙤𝙧𝙮 One Verdict at a Time


by Justin Smulison

Athea Trial Lawyers was formed only a year ago by several prestigious lawyers seeking justice for their clients, and together they are making history.

Six female lawyers sitting in office

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Strength in Numbers: When Partnering Up May Be Best in Whistleblower Litigation


by Justin Smulison

Whistleblower claims make headlines when they result in multimillion-dollar settlements. But the journey to the courtroom is characterized by complexity and requires time and resources. Bienert Katzman Littrell Williams partner and The Best Lawyers in America awardee Michael R. Williams discusses when and why partnerships between counsel will strengthen whistleblower litigation.

A Blue Person in the Middle of White People

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Announcing the 2023 The Best Lawyers in Canada Honorees


by Best Lawyers

The Best Lawyers in Canada™ is entering its 17th edition for 2023. We highlight the elite lawyers awarded this year.

Red map of Canada with white lines and dots

Announcing the 2022 "Best Law Firms" Rankings


by Best Lawyers

The 2022 “Best Law Firms” publication includes all “Law Firm of the Year” recipients, national and metro Tier 1 ranked firms and editorial from thought leaders in the legal industry.

The 2022 Best Law Firms Awards