The role of the lead supervisory authority

Rules on the lead supervisory authority 

The main rule is that the lead supervisory authority is the data protection supervisory authority in the member state in which the central administration of an organisation is located.

This main rule is deviated from if the decisions on the purposes and means of the personal data processing are taken in another establishment. And that other establishment is also authorised to implement those decisions. 

In that case, the supervisory authority of the EU member state in which that other establishment is located is the lead supervisory authority. 

One establishment

Does an organisation have one establishment in the EU (but are the data processing operations cross-border)? Then the supervisory authority in the country in which the organisation has its sole  establishment is the lead supervisory authority.

Multiple establishments

Does an organisation have multiple establishments in the EU? Then the place in which the central administration of the organisation is located will be regarded as the main establishment. In practice, this may coincide with the establishment that is designated by the organisation itself as its central administration.

But are the decisions on the purpose and the means of the data processing taken in another establishment? Then that other establishment will be regarded by the supervisory authorities as the central administration within the meaning of the General Data Protection Regulation (GDPR).

Multiple supervisory authorities

Does an organisation carry out various cross-border data processing operations? And are the decisions on these operations taken in various establishments? Then there may be several lead supervisory authorities.

These are the supervisory authorities in the countries where the decisions on the various cross-border data processing operations are taken.

Guidelines for the lead supervisory authority

The European data protection supervisory authorities have published the Guidelines for identifying a controller or processor’s lead supervisory authority. These guidelines provide an explanation about the determination of the lead supervisory authority and the application of the one-stop shop rule. An official Dutch translation of the Guidelines for the lead supervisory authority is also available.

Your lead supervisory authority

Do you as an organisation want to know who your lead supervisory authority is? The flowchart Determine who your lead supervisory authority is will help you on your way.

Tip: Centralising the decision-making with regard to the personal data processing in one location is useful for organisations that want to benefit from the one-stop shop mechanism.

Exceptions regarding the lead supervisory authority

The GDPR contains 2 exceptions to the rule of the lead supervisory authority. These say that the supervisory authority of another country is competent to conduct an investigation into an organisation. Even if the central administration of this organisation is not located in this country.

It concerns the following 2 situations:

1. It is a local case, with, for example, only the inhabitants of one specific country being affected.
2. It concerns an emergency situation. This means that urgent action is needed for protecting the rights and freedoms of the data subjects. In that case, a non-lead supervisory authority may intervene, for example by imposing a processing ban.

A supervisory authority is not allowed to rely on such exception without a good reason. The supervisory authority always has to consult with the lead supervisory authority first and ask if the latter wants to investigate the case. If the lead supervisory authority decides not to do this, the non-lead supervisory authority may start an investigation itself.

If a supervisory authority wants to rely on an emergency situation, this supervisory authority will have to submit the matter to the rest of the European supervisory authorities (united in the EDPB) as soon as possible.