In the case of cross-border processing, you must determine who your lead supervisory authority is.
Cross-border processing is defined as:
Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State, OR
Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
The GDPR does not define ‘substantially’ or ‘affects’. The intention of the wording was to ensure that not all processing activity, with any effect and that takes place within the context of a single establishment, falls within the definition of ‘cross-border processing’. The most relevant ordinary English meanings of ‘substantial’ include; ‘of ample or considerable amount or size; sizeable, fairly large’, or ‘having solid worth or value, of real significance; solid; weighty, important’. The most relevant meaning of the verb ‘affect’ is ‘to influence’ or ‘to make a material impression on’.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018