European Data Protection Board (EDPB): New guidelines on lead supervisory authority make it necessary for companies to revise their documents

The European Data Protection Board has recently published new guidelines on identifying the lead supervisory authority for public consultation.

In its new guidelines, the EDPB has made a significant about-turn in relation to the concept of a lead supervisory authority for joint controllers. Although the changes only concern certain points, they will nonetheless be significant in practice. Companies that process personal data as joint controllers with other companies should carefully review their joint controller agreements, internal privacy policies and data protection information to determine whether they comply with the new regulatory requirements:

Background: Concept of lead supervisory authority under the General Data Protection Regulation (GDPR) and the established Article 29 Working Party guidelines

The GDPR provides that the supervisory authority of the main establishment or the single establishment of the company is the “lead supervisory authority” for a company’s cross-border processing activities. According to what is known as the “one-stop shop” principle, the lead supervisory authority is the sole contact point of the company concerned for cross-border processing of personal data.

The designation of the lead supervisory authority is first of all relevant for the cooperation between supervisory authorities, for example, in dealing with complaints from data subjects as well as in public investigations, enforcement actions and sanctions against companies.

In practice, however, the designation of the lead supervisory authority also has considerable significance for companies, for example when formally or informally consulting the supervisory authority on cross-border data processing or when reporting cross-border personal data breaches. Thus, normally, information on the lead supervisory authority can also be found in internal guidelines for dealing with data protection incidents. The identification of the lead supervisory authority can also be relevant for the drafting of data protection information, in which companies often specify the supervisory authority responsible for them.

Even before the GDPR came into force, the Article 29 Working Party at the time had, on 13 September 2016, adopted guidelines for designating the lead supervisory authority of a controller or processor. As the successor to the Article 29 Working Party, the EDPB formally endorsed these guidelines on 25 May 2018.

Specific changes to the application of the lead supervisory authority concept in the case of joint controllers

Apart from some editorial changes, the EDPB has largely adopted unaltered the content of the existing Article 29 Working Party guidelines in its new guidelines for identifying the lead supervisory authority. The EDPB does, however, reverse one point, which will be significant in practice:

In their old guidelines, the supervisory authorities took the view that, in the case of cross-border processing activities, joint controllers should designate a common main establishment and thus a lead supervisory authority in order to benefit from the “one-stop shop” principle.

The EDPB has now revised this recommendation in its new guidelines by clarifying the notion of the main establishment: the concept of the main establishment and thus also of the lead supervisory authority now only applies to single controllers and cannot be extended to joint controllers. According to the new guidelines, any main establishment and thus the lead supervisory authority can only be designated individually for each joint controller. The main establishment of one joint controller cannot be considered the main establishment of all joint controllers. As a result, any agreements to designate a lead supervisory authority in joint controller agreements will be ineffective.

Public consultation and necessity for companies to revise documents

The EDPB will continue to welcome feedback regarding its new guidelines until 2 December 2022 in the public consultation process, explicitly pointing out that the consultations do not cover all of the guidelines, but only the section on designating a lead supervisory authority in the case of joint controllership, the content of which has been updated. Although, the possibility of the EDPB still making changes to its guidelines based on the feedback received during the consultation process cannot be excluded, such changes are usually of an editorial nature. No major changes in content are to be expected.

Companies that process personal data as joint controllers with other companies should therefore begin now to take the EDPB’s amendments into account, especially as the published version of the guidelines reflects the common approach of the European supervisory authorities. We particularly recommend using the EDPB’s publication of its guidelines as an opportunity to carefully review joint controller agreements, internal privacy policies on data protection and data protection information to determine whether they comply with the new regulatory requirements on designating the lead supervisory authority where there are joint controllers.