How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?
Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.
The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.
For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.
For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.
A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.
The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.
For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).