Determining your lead supervisory authority

1. Where the controller or processor is established in more than one Member State and the processing of personal data takes place in the context of the activities of establishments in more than one Member State:

In a case only involving the controller:

  • Identify the controller’s place of central administration in the EU
  • The supervisory authority of the country where the place of central administration is located is the controller’s lead supervisory authority
  • However, if decisions on the purposes and means of the processing are taken in another establishment in the EU, and that establishment has the power to implement those decisions, then the lead authority is the one located in the country where this establishment is.

In a case involving a controller AND a processor:

  • Check if the controller is established in the EU and subject to the one-stop-shop system. If so,
  • Identify the lead supervisory authority of the controller. This authority will also be the lead supervisory authority for the processor
  • The (non-lead) supervisory authority competent for the processor will be a ‘concerned authority’

In a case involving only a processor:

  • Identify the processor’s place of central administration in the EU
  • If the processor has no central administration in the EU, identify the establishment in the EU where the main processing activities of the processor take place

In a case involving joint controllers

  • Check if the joint controllers are established in the EU
  • Designate among the establishments where decisions on the purposes and means of the processing are taken the establishment which has the power to implement these decisions with respect to all joint controllers. This establishment will then be considered to be the main establishment for the processing carried out by the joint controllers. The lead authority is the one located in the country where this establishment is

2.  Where the processing of personal data takes place in the context of the activities of a data controller or processor’s single establishment in the Union, BUT:

substantially affects or is likely to substantially affect individuals in more than one Member State.

In this case, the lead authority is the authority for the controller or processor’s single establishment in a single Member State. This must – by logic - be the controller or processor’s main establishment because it is its only establishment.


The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

R
Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.