Article 56 GDPR: Difference between revisions
No edit summary |
No edit summary |
||
(35 intermediate revisions by 7 users not shown) | |||
Line 185: | Line 185: | ||
== Legal Text == | == Legal Text == | ||
<center>'''Article 56 - Competence of the lead supervisory authority'''</center> | |||
<span id="1">1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.</span> | <span id="1">1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.</span> | ||
Line 199: | Line 199: | ||
<span id="6">6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.</span> | <span id="6">6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.</span> | ||
== Relevant | == Relevant Recital== | ||
{{Recital/36 GDPR}} | |||
{{Recital/123 GDPR}} | |||
{{Recital/124 GDPR}} | |||
{{Recital/125 GDPR}} | |||
{{Recital/126 GDPR}} | |||
{{Recital/127 GDPR}} | |||
{{Recital/128 GDPR}} | |||
==Commentary== | |||
In cross-border cases (Article 4(23) GDPR), several supervisory authorities (SA) could be competent according to [[Article 55 GDPR]]. For this reason, Article 56(1) GDPR establishes a specific mechanism to keep all the competent SAs involved and at the same time ensure the consistent application of the GDPR by issuing of one decision. This would be undermined in case of conflicting decisions on the same subject matter. The provision identifies a lead supervisory authority (LSA). This is the SA where the controller or the processor have their main establishment or single establishment ([[Article 4 GDPR|Article 4(16) GDPR]]) in the European Union/European Economic Area (EU/EEA). Under Article 56(2-5) GDPR, the LSA’s competence can be waived, in particular if the cross-border processing at stake has only a local impact. Article 56(6) GDPR introduces the one-stop shop mechanism. Whenever an LSA is validly appointed, it is to be the sole interlocutor of the controller or processor. | |||
Article 56 GDPR makes a direct reference to [[Article 55 GDPR]] (Competence), [[Article 60 GDPR]] (cooperation between LSE and other SA concerned (CSA)), Article [[Article 61 GDPR|61 GDPR]] (mutual assistance) and [[Article 62 GDPR]] (joint operations of SAs). Additional provisions that are closely related to Article 56 GDPR are [[Article 4 GDPR|Article 4(7) GDPR]] (definition of controller), [[Article 4 GDPR|Article 4(8) GDPR]] (definition of processor), [[Article 4 GDPR|Article 4(16) GDPR]] (definition of main establishment), [[Article 4 GDPR|Article 4(21) GDPR]] (definition of SA), [[Article 4 GDPR|Article 4(22) GDPR]] (definition of SA concerned(CSA)), [[Article 4 GDPR|Article 4(23) GDPR]] (definition of cross-border processing), [[Article 57 GDPR]] (tasks of SAs), [[Article 58 GDPR]] (powers of SAs), as well as [[Article 65 GDPR]] (dispute resolution by the board), [[Article 63 GDPR]] (consistency mechanism), [[Article 64 GDPR]] (opinion of the board), [[Article 66 GDPR]] (urgency procedure) and [[Article 67 GDPR]] (exchange of information). | |||
===(1) Designation of the Lead Supervisory Authority (LSA) and the Cooperation Mechanism === | |||
[[Article 55 GDPR]] confirms the general rule that breaches of data protection law occurring in a given Member State are investigated and possibly punished by the independent authority of that Member State. However, the processing of personal data often presents transnational features due, for example, to the existence of several establishments of the data controller within the territory of the EU/EEA (''"Union"'').<ref>The GDPR applies for all states of EEA. This includes all EU member states, Iceland, Liechtenstein and Norway. For more information see [[Article 1 GDPR]].</ref> In such circumstances, the general rule of Article 55 GDPR would require each independent authority to decide on a certain processing of personal data, with the obvious consequence of possible inconsistencies of application in case of divergent decisions. This would be in contradiction with one of the main objectives of the GDPR, namely to “''ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States''” (Recital 10 GDPR). In that view, Article 56 GDPR provides for an alternative decision-making procedure under two conditions: (i) the processing is of a cross-border nature, and (ii) the controller or processor has a main establishment or a single establishment in the EU/EEA. Where these conditions are met, Article 56 GDPR, in conjunction with [[Article 60 GDPR]] and [[Article 65 GDPR]], reserves part of the powers and tasks originally held by SAs under [[Article 55 GDPR]] for the (lead) SA where the main establishment or the single establishment of the controller or processor is located. Provided that one of the establishments in the EU/EEA of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. When these decisions are taken and powers are exercised outside of the EU/EEA, there is no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism does not apply according to EDPB Opinion 04/2024.<ref>The EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR is available [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024-notion-main-establishment_en here].</ref> | |||
==== Without prejudice to Article 55 GDPR ==== | |||
“''Without prejudice to''” presents a clarification that when the derogation from Article 55 applies, other SAs concerned are not losing their competences, but are limited in carrying them out. LSA’s competence is not exclusive. In fact, even if the LSA is in charge of directing the investigation and the decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority. Moreover, LSA’s position on substance is no stronger than that of any other CSA. In case of dispute the consistency mechanism is triggered and the EDPB adopts a binding decision under [[Article 65 GDPR]].<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 917 and 918 (Oxford University Press 2020). See also ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref> | |||
Second, the derogation from the rules of Article 55 GDPR, by Article 56(1) with the one-stop-shop mechanism with the LSA, is only partial. First, it is not applicable where processing is carried out by public authorities or private bodies under [[Article 55 GDPR|Article 55(2) GDPR]].<ref>See, ''Robert'', Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017).</ref> This can result in several SAs being competent with regard to a cross-border processing activity when a company is processing the same data to comply with statutory requirements and for commercial purposes.<blockquote>Example: Spanish telecommunications company Y, with clients from all over Europe and the main establishment in France, is storing phone records for law enforcement purposes and to comply with its contractual obligations. With regard to the processing activities for law enforcement purposes the Spanish SA is the competent SA. For processing activities in the context of contractual services, such as billing, the French SA will act as the LSA.</blockquote> | |||
==== Supervisory authority of the main or single establishment (lead supervisory authority) ==== | |||
Under Article 56(1) GDPR the SA of the main establishment or single establishment of the controller or the processor in the EU/EEA is (“shall be”) competent to act as LSA for cross-border processing of that controller or processor. While, according to EDPB Opinion 4/2024 for the one-stop-shop mechanism to apply this main or single establishment of the controller must take decisions on the purposes and means for the relevant processing and have the power to have these decisions implemented. | |||
EDPB Opinion 4/2024: The one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Otherwise there is no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism does not apply.<ref>EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, summary and pages 5-11, available [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024-notion-main-establishment_en here].</ref> | |||
== | ===== Establishment ===== | ||
Recital 22 GDPR, following the CJEU ruling in ''[[CJEU - C-230/14 - Weltimmo|Weltimmo]]'' defines “''establishment''” as “''the effective and real exercise of activity through stable arrangements''”.<ref>CJEU, 1 October 2015, ''Weltimmo'', C-230/14, margin number 31 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref> The legal form of such arrangements is irrelevant. The presence of only one representative can in some circumstances suffice.<ref>CJEU, 1 October 2015, ''Weltimmo'', C-230/14, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref> For more information see commentary to [[Article 4 GDPR|Article 4(16) GDPR]]. | |||
===== Main establishment ===== | |||
The GDPR uses separate criteria for determining the main establishment of a processor and of a controller. | |||
== Decisions == | ====== Main establishment of the controller ====== | ||
As a general rule, as per [[Article 4 GDPR|Article 4(16)(a) GDPR]], the main establishment of a controller is the place of its central administration in the EU/EEA. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to [[Article 4 GDPR|Article 4(16) GDPR]], when the decisions on the purposes and means of the processing of personal data are taken in another establishment in the EU/EEA and the latter establishment has the power to have such decisions implemented. | |||
For more information, see commentary on [[Article 4 GDPR|Article 4(16) GDPR]], [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority] and [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024-notion-main-establishment_en Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR]. | |||
====== Main establishment of the processor ====== | |||
The main establishment of a processor with establishments in more than one Member State is the place of its central administration. In cases where the processor has no central administration in the EU/EEA, the GDPR provides that its main establishment is the place where the main processing activities take place in the EU/EEA (i) in the context of the activities of an establishment of the processor and (ii) to the extent that the processor is subject to specific obligations under the GDPR. The first qualification “''implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment."<ref>''Tosoni'', The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.</ref>'' The second qualification confirms the scope of application of the GDPR to processors. | |||
For more information, refer to commentary on [[Article 4 GDPR|Article 4(16) GDPR]] and [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority]. | |||
====== Main establishment of group undertakings ====== | |||
In the case of a group of undertaking with a headquarter in the EU/EEA, the main establishment will be presumed to be the decision-making center relating to the processing of personal data.<ref>Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraph 27, available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here].</ref> However, if the decisions relating to the processing are taken by another establishment of the controller in the EU/EEA, the latter should be considered the main establishment.<ref>For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]).</ref> | |||
====Identifying the lead supervisory authority (LSA) ==== | |||
===== General principles ===== | |||
If a controller or a processor has establishments in more than one Member State, identifying its “''main establishment''” is the first step to recognize the LSA in a cross-border processing.<ref>Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> The EDPB stresses that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment according to objective criteria and subsequently determine the LSA. | |||
EDPB provided following, not exhaustive list of questions to determine a controller’s main establishment: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross-border processing located? Where is the controller or processor registered as a company, if in a single territory?”.<ref>Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraphs 25 and 26, available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here].</ref> | |||
The conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review. The controllers and processors have to demonstrate where the relevant processing decisions are taken and where there is the power to implement such decisions. SAs can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required. The burden of proof is with the controllers and processors. <ref>EDPB, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraph 37 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here]). See also Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, pages 5-11 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024-notion-main-establishment_en here]). </ref> Therefore the designation of one of several establishments in different Member States as the main establishment in the organizational chart is not sufficient to establish the LSA competence under Article 65(1) GDPR.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 7 (C.H. Beck 2018).</ref> <blockquote>Example: Company X has designated a mailbox company in Estonia in organisational chart as its central administration, while all decisions regarding cross-border processing are made and enforced by its establishment located in France. The LSA is the French SA and not the Estonian SA. </blockquote>The main establishment is determined for each cross-border processing activity separately. This means that where different establishments are in charge of making decisions about different categories of cross-border processing, for example one for processing of customers’ data for advertising purposes and another for processing of employees’ data, and can also enforce their decisions, different LSAs will be in charge for each cathegory of cross-border processing.<blockquote>Example: Bike rental company XT has establishments in Germany, Austria and Hungary. Exclusively the establishment in Hungary is in charge of advertising, and the establishment in Austria for all decisions related to human resources. In this case the LSA for processing related to advertising is the Hungarian SA and for processing of employees data the Austrian SA.</blockquote>Companies can avoid situations leading to competence of different LSAs for different cross-border processing activities by putting one undertaking in charge of all decisions that are of data-protection relevance.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 8 (C.H. Beck 2018).</ref> | |||
===== Identifying the LSA in specific cases of cross-border processing ===== | |||
====== Cases involving both controller and processor ====== | |||
In cases involving both the controller and the processor, the competent LSA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per [[Article 4 GDPR|Article 4(22) GDPR]]. However, this is not the case if the draft decision concerns only the controller (Recital 36 GDPR). In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.<ref>Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here].</ref> | |||
====== Cases involving joint controllers ====== | |||
The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the LSA. However, according to [[Article 26 GDPR|Article 26(1) GDPR,]] the controllers have to in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR. EDPB considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.<ref>Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here].</ref> This could also be supported by the wording of Recital 79 GDPR, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref> | |||
====== Cases where decisions are made outside EU/EEA ====== | |||
Some difficulties may arise when none of the EU/EEA establishments are making decisions about the processing (even with a headquarter in the EU/EU/EU/EEA). In such a case, significantly called “''borderline cases''” by the EDPB,<ref>Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en here].</ref> the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU/EEA to benefit from the one-stop shop, forum shopping should be avoided. The idea of the one-stop shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment making the decisions on the processing. When the latter is located outside EU/EEA, such controller cannot profit from the one-stop-shop mechanism for cross-border processing and must deal with local SAs in every Member State concerned.<ref>See EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, pages 5-11, available [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024-notion-main-establishment_en here].</ref> | |||
===== ''Conflict of competence between supervisory authorities (SAs)'' ===== | |||
In case of “''conflicting views''” on which of the SA concerned is the LSA, the EDPB adopts a decision under the dispute resolution mechanism ([[Article 65 GDPR|Article 65(1)(b) GDPR]]). It seems that the decision on a conflicting view can only be taken within a specific procedure under [[Article 65 GDPR|Article 65(1)(b) GDPR]] and conflicting views on the LSA cannot be addressed via a reasoned objection within a procedure under [[Article 65 GDPR|Article 65(1)(a) GDPR]]. In its decision on the dispute resolution mechanism in case Twitter, the EDPB considered “''that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to [[Article 60 GDPR|Article 60(4) GDPR]] and falls outside of the scope of Article 4(24) GDPR''.”<ref>In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]). </ref> | |||
===== ''Change of main establishment'' ===== | |||
GDPR does not address change of main establishment in the course of cooperation and consistency mechanism, the EDPB considers that “''the lead competence can switch to another SA until a final decision is made by the LSA''”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref> Thus, its competence is not definite until the very end of the procedure.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920. </ref> The EDPB stressed that to prevent “''forum shopping''”, “''SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case''”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref> While EDPB guidelines are useful, there are doubts about the chosen solution and its effectiveness.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, pages 920-921 (Oxford University Press 2020).</ref> At the same time this solution prevents problems of enforceability of LSA decisions in another Member State, which would emerge if the competence would be linked to the time when the complaint was lodged. | |||
====Cross-Border Processing==== | |||
One of the conditions for triggering the competence of the LSA and the cooperation mechanism of [[Article 60 GDPR]] is the existence of a cross-border processing. The definition of cross-border processing is provided by [[Article 4 GDPR|Article 4(23) GDPR]] which stipulates that such a processing takes place in the context of the activities<ref>The meaning of “''the context of the activities''” was already developed by the CJEU. The Court built on a broad definition of “''establishment''” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment" (CJEU, 13 May 2014, ''Google Spain'', C-131/12 (available [https://curia.europa.eu/juris/liste.jsf?num=C-131/12 here]); and CJEU, 1 October 2015, ''Weltimmo'', C-230/14 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> of either (a) establishments in more than one Member State of a controller or processor in the EU/EEA where the controller or processor is established in more than one Member State; or (b) a single establishment of a controller or processor in the EU/EEA which substantially affects<ref>The notion of “''substantial effect''” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available [https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf here]).</ref> or is likely to substantially affect data subjects in at least one other Member State. <blockquote>Example: Bike rental company XT has establishments in Hungary, Austria and Slovenia. Decision on processing, e.g. data that is collected, purposes for which it can be used and for how long it is stored, are made in Austria and implemented in every establsihment. | |||
Example: Company TX from Checz Republic is providing online services to customers from all over EU/EEA and in for that purpose collecting and storing their data.</blockquote>On the other hand, the processing by a controller only established in one Member State which substantially only affects the individuals in this Member State will not meet the conditions. <blockquote>Example: A Polish company, which is a branch of a Swedish company, processes human resources data of its employees alone, the processed data relates only to its employees and any decision about the purposes and means of this processing is taken by the Polish company, e.g. the Human resources policy, and also the servers on which these data are held is in Poland. There is no cross-border processing and Article 56 of the GDPR does not apply in this case.<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 6, available [https://edpb.europa.eu/system/files/2022-07/Internal%20EDPB%20document%201-2019%20on%20handling%20of%20local%20cases_en.pdf here].</ref> </blockquote>For more information, please, refer to the commentary to [[Article 4 GDPR|Article 4(23) GDPR]]. | |||
====Main Establishment==== | |||
===(2) Derogation for cases of a local nature=== | |||
Article 56(2) GDPR introduces an exception (“''by derogation''”) to the general competence of the SA of the main establishment for cases of cross-border processing under first paragraph (''"from paragraph 1"''). Article 56(2) GDPR provides that a SA which is not the LSA is to be competent to (a) handle a complaint lodged with it concerning a cross-border processing of personal data or (b) a possible infringement of the GDPR, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. In particular, a case is local in nature if the controller is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single state and involves only data subjects in that state, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State (Recital 127). EDPB adopted Internal EDPB Document 1/2019 on procedural steps to be applied by SAs for handling of cases that potentially relate to cross-border processing and in particularly cases with only local impacts under Article 56.2 GDPR ("EDPB Internal Document").<ref>Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> <blockquote>Example: Due to repeated thefts occurring in a store located in France, of a retail company established in several Member States, the Italian headquarters decides to use video surveillance for the store in France. Since the Italian establishment determines the purposes and means of this monitoring system, this is a cross-border processing and the controller’s main establishment is in Italy. If a French employee (or a customer) lodges a complaint regarding the use of the surveillance-camera with the French SA, the SA may find that this case is of local nature, since no other establishment, except the French, makes use of video-surveillance.<ref name=":0">See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 8, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref></blockquote>On the contrary, the resolution of a case of video surveillance systems implemented in stores in more than one Member States, as a matter of general policy, which infringes GDPR’s provisions, for example due to allegedly excessive retention period of the video surveillance data, is not only relating to the establishment located in one Member State.<ref name=":0" /> | |||
According to the EDPB "''[t]o be considered as a local case, the actual impact of it should be limited to data subjects residing in the SA’s Member State.''"<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 9, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref><blockquote>Example: An online retail company sells products that can be delivered throughout EU/EEA. The website provides information about the processing of personal data in many languages used in the EU/EU/EEA. The Islandic linguistic version is incomplete and this language is spoken only in a single Member State Iceland. In this situation, the case could be considered as having only local impacts in the SA’s territory.</blockquote>If the SA considers that the case is likely to impact individuals in another Member State, it should consider that this is not a local case.<blockquote>Example: An online order form from a retail company requires that all customers (located in several Member States) provide information that is not necessary to deliver the products. The subject matter of the case as well as the resolution of this case will substantially affect data subjects in several Member States.</blockquote>Also a case about a cross-border processing that is in line with the GDPR but infringes the national legislation could have only local impacts.<blockquote>Example: The Italian main establishment of a company decides to implement video-surveillance in each of its establishments. The French national law about video-surveillance in public space provides that the images should not be stored more than one month, and the retention period of data is excessive only according to this national law, the resolution of the case would be only relating to the local establishment and would concern only data subjects in France.<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 10, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref></blockquote>The competence of local SAs in local cases reflects one of the principles of the GDPR, namely the principle of proximity as an important aspect of the protection of individuals rights.<ref>See ''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 14 (C.H. Beck 2017); and ''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 921 (Oxford University Press 2020).</ref> Nevertheless, the local SA will handle a case with a subject matter of a local nature only, if the LSA does not decide to handle it (see below). | |||
=== (3) Involvement of the lead supervisory authority (LSA) === | |||
Under Article 56(3) GDPR, in the event of a “local case” under Article 56(2) GDPR, the SA must inform the LSA “''without delay''” on that matter. The LSA must respond within a period of three weeks whether or not it will handle the case. To make this decision, the (L)SA will take into account of the presence of an establishment of the controller or processor in the Member State of which the SA informed it. The existence of an establishment in the Member State of the local SA is to be taken into account, “''in order to ensure effective enforcement of a decision vis-à-vis the controller or processor.''”<ref>Recital 127.</ref> According to the EDPB Internal Document 1/2019 the (L)SA should also take into account whether the case raises a new matter of principle which has not yet been resolved at the European level.<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 10, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> In its Internal Document the EDPB clarifies that a matter has been addressed at European level, when it has been decided on the merits, either by the LSA following the cooperation procedure, or by the European Data Protection Board (EDPB) or by the case law of the CJEU or the European Court of Human Rights.<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> | |||
In the event that the LSA does not decide within the three week period whether it will handle the case the local SA can trigger the mutual assistance procedure under [[Article 61 GDPR]], in order to receive an answer from the LSA. Followed by a request to obtaining an opinion from the EDPB under Article 64(2) GDPR, if the LSA does not comply with the obligations for mutual assistance within one month.<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> | |||
=== (4) Lead supervisory authority (LSA) takes the lead === | |||
If the LSA decides to handle the case, the one-stop shop procedure introduced in [[Article 60 GDPR]] is triggered. However, the SA which informed the LSA about the subject matter may submit to the LSA a draft for a decision. According to the EDPB Internal Guidelines the LSA must take at most account of that draft, "''except where there are specific, overriding reasons preventing it.''"<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> The local SA remains in a strong position since it can still suggest a draft decision to the LSA, which is in general competent to draw up a draft decisions in accordance with [[Article 60 GDPR|Article 60(3) GDPR]].For more information see commentary to [[Article 60 GDPR]]. | |||
Paragraphs 4 and 5, in contrast to paragraphs 2 and 3, does not make any reference to local cases. Therefore one possible interpretation of these two paragraphs is, that they do not apply only in local cases but in any cross-border case, where the LSA in fact does not act and does not handle the case as it is obliged to under Article 60 GDPR.<ref>xxxx</ref> This means that the SA where the complaint was lodged is also competent to handle the cross-border case according to [[Article 61 GDPR]] and [[Article 62 GDPR]], if the LSA fails to handle the case. (see paragraph 5 below). | |||
=== (5) Local supervisory authority handles the case === | |||
If the LSA decides not to handle a local case, Article 56(5) GDPR provides that the SA which triggered the procedure handles it according to [[Article 61 GDPR]] and [[Article 62 GDPR]]. Those provisions require the SAs to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned. EDPB Internal Document 1/2019 forsees that the local SA exercises its full range of powers pursuant to [[Article 58 GDPR]], including the corrective powers. Also, "''when the cross-border case is handled “locally”, the LSA is not the sole interlocutor of the controller or processor''" as provided for in Article 56(6) GDPR (see below).<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here].</ref> | |||
Paragraph 5, just as paragraph 4 and contraty to paragraphs 2 and 3, does not in any way refer to local cases it can be argued that it can be applied also in case of inactivity of the LSA. The SA that informed the LSA about the assumed infringement of the GDPR relating to cross-border processing that would require the LSA to handle the case in accordance with procedure prvided in Article 60 GDPR, was obliged to handle it ("shall handle it"), if the LSA failed to do so (see also commentary to paragraph 4 above). | |||
===(6) The lead supervisory authority (LSA) as the sole interlocutor of the controller or the processor=== | |||
Article 56(6) GDPR provides that the LSA is the sole interlocutor of the controller or the processor. That means that, in case of cross-border processing, the communication should exclusively take place with the LSA, to avoid that the controller or processor would have multiple discussions with several SAs. In addition to relief from bureaucratic burdens, the ''"[e]xclusive contacts with a controller or processor are a means to streamline the procedure."''<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 924 (Oxford University Press 2020).</ref> | |||
At the same time, in relation to other CSAs, the LSA ''"must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned."''<ref>CJEU, [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 C-645/19 - ''Facebook c. APD''], paragraph 64, available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here].</ref> | |||
Article 56 GDPR does not specify whether the LSA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5) GDPR. The EDPB Internal Document 1/2019 suggests that "''when the cross-border case is handled “locally”, the LSA is not the sole interlocutor of the controller or processor''".<ref>See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-12019-handling-cases-only_en here]. | |||
See also ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 56 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).</ref> However, not all scholars share this view.<ref>See for example ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 56 GDPR, margin number 16 (Nomos 2019). ''See also Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 924 (Oxford University Press 2020).</ref> Some scholars suggest a pragmatic approach to avoid communication issues with the controller or processor.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 92 ''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.</ref> | |||
This provision is not determining data subject's contact point. According to [[Article 77 GDPR|Article 77(1) GDPR]], the data subject can contact a SA of his choice when filing a complaint and the SA whit which the complaint was lodged stays his pont of contact throughout the procedure. | |||
==Decisions== | |||
→ You can find all related decisions in [[:Category:Article 56 GDPR]] | → You can find all related decisions in [[:Category:Article 56 GDPR]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:GDPR Articles]] | [[Category:GDPR Articles]] |
Latest revision as of 22:28, 1 April 2024
Legal Text
1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).
5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.
6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
Relevant Recital
Commentary
In cross-border cases (Article 4(23) GDPR), several supervisory authorities (SA) could be competent according to Article 55 GDPR. For this reason, Article 56(1) GDPR establishes a specific mechanism to keep all the competent SAs involved and at the same time ensure the consistent application of the GDPR by issuing of one decision. This would be undermined in case of conflicting decisions on the same subject matter. The provision identifies a lead supervisory authority (LSA). This is the SA where the controller or the processor have their main establishment or single establishment (Article 4(16) GDPR) in the European Union/European Economic Area (EU/EEA). Under Article 56(2-5) GDPR, the LSA’s competence can be waived, in particular if the cross-border processing at stake has only a local impact. Article 56(6) GDPR introduces the one-stop shop mechanism. Whenever an LSA is validly appointed, it is to be the sole interlocutor of the controller or processor.
Article 56 GDPR makes a direct reference to Article 55 GDPR (Competence), Article 60 GDPR (cooperation between LSE and other SA concerned (CSA)), Article 61 GDPR (mutual assistance) and Article 62 GDPR (joint operations of SAs). Additional provisions that are closely related to Article 56 GDPR are Article 4(7) GDPR (definition of controller), Article 4(8) GDPR (definition of processor), Article 4(16) GDPR (definition of main establishment), Article 4(21) GDPR (definition of SA), Article 4(22) GDPR (definition of SA concerned(CSA)), Article 4(23) GDPR (definition of cross-border processing), Article 57 GDPR (tasks of SAs), Article 58 GDPR (powers of SAs), as well as Article 65 GDPR (dispute resolution by the board), Article 63 GDPR (consistency mechanism), Article 64 GDPR (opinion of the board), Article 66 GDPR (urgency procedure) and Article 67 GDPR (exchange of information).
(1) Designation of the Lead Supervisory Authority (LSA) and the Cooperation Mechanism
Article 55 GDPR confirms the general rule that breaches of data protection law occurring in a given Member State are investigated and possibly punished by the independent authority of that Member State. However, the processing of personal data often presents transnational features due, for example, to the existence of several establishments of the data controller within the territory of the EU/EEA ("Union").[1] In such circumstances, the general rule of Article 55 GDPR would require each independent authority to decide on a certain processing of personal data, with the obvious consequence of possible inconsistencies of application in case of divergent decisions. This would be in contradiction with one of the main objectives of the GDPR, namely to “ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States” (Recital 10 GDPR). In that view, Article 56 GDPR provides for an alternative decision-making procedure under two conditions: (i) the processing is of a cross-border nature, and (ii) the controller or processor has a main establishment or a single establishment in the EU/EEA. Where these conditions are met, Article 56 GDPR, in conjunction with Article 60 GDPR and Article 65 GDPR, reserves part of the powers and tasks originally held by SAs under Article 55 GDPR for the (lead) SA where the main establishment or the single establishment of the controller or processor is located. Provided that one of the establishments in the EU/EEA of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. When these decisions are taken and powers are exercised outside of the EU/EEA, there is no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism does not apply according to EDPB Opinion 04/2024.[2]
Without prejudice to Article 55 GDPR
“Without prejudice to” presents a clarification that when the derogation from Article 55 applies, other SAs concerned are not losing their competences, but are limited in carrying them out. LSA’s competence is not exclusive. In fact, even if the LSA is in charge of directing the investigation and the decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority. Moreover, LSA’s position on substance is no stronger than that of any other CSA. In case of dispute the consistency mechanism is triggered and the EDPB adopts a binding decision under Article 65 GDPR.[3]
Second, the derogation from the rules of Article 55 GDPR, by Article 56(1) with the one-stop-shop mechanism with the LSA, is only partial. First, it is not applicable where processing is carried out by public authorities or private bodies under Article 55(2) GDPR.[4] This can result in several SAs being competent with regard to a cross-border processing activity when a company is processing the same data to comply with statutory requirements and for commercial purposes.
Example: Spanish telecommunications company Y, with clients from all over Europe and the main establishment in France, is storing phone records for law enforcement purposes and to comply with its contractual obligations. With regard to the processing activities for law enforcement purposes the Spanish SA is the competent SA. For processing activities in the context of contractual services, such as billing, the French SA will act as the LSA.
Supervisory authority of the main or single establishment (lead supervisory authority)
Under Article 56(1) GDPR the SA of the main establishment or single establishment of the controller or the processor in the EU/EEA is (“shall be”) competent to act as LSA for cross-border processing of that controller or processor. While, according to EDPB Opinion 4/2024 for the one-stop-shop mechanism to apply this main or single establishment of the controller must take decisions on the purposes and means for the relevant processing and have the power to have these decisions implemented.
EDPB Opinion 4/2024: The one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Otherwise there is no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism does not apply.[5]
Establishment
Recital 22 GDPR, following the CJEU ruling in Weltimmo defines “establishment” as “the effective and real exercise of activity through stable arrangements”.[6] The legal form of such arrangements is irrelevant. The presence of only one representative can in some circumstances suffice.[7] For more information see commentary to Article 4(16) GDPR.
Main establishment
The GDPR uses separate criteria for determining the main establishment of a processor and of a controller.
Main establishment of the controller
As a general rule, as per Article 4(16)(a) GDPR, the main establishment of a controller is the place of its central administration in the EU/EEA. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when the decisions on the purposes and means of the processing of personal data are taken in another establishment in the EU/EEA and the latter establishment has the power to have such decisions implemented.
For more information, see commentary on Article 4(16) GDPR, EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority and Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR.
Main establishment of the processor
The main establishment of a processor with establishments in more than one Member State is the place of its central administration. In cases where the processor has no central administration in the EU/EEA, the GDPR provides that its main establishment is the place where the main processing activities take place in the EU/EEA (i) in the context of the activities of an establishment of the processor and (ii) to the extent that the processor is subject to specific obligations under the GDPR. The first qualification “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment."[8] The second qualification confirms the scope of application of the GDPR to processors.
For more information, refer to commentary on Article 4(16) GDPR and EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.
Main establishment of group undertakings
In the case of a group of undertaking with a headquarter in the EU/EEA, the main establishment will be presumed to be the decision-making center relating to the processing of personal data.[9] However, if the decisions relating to the processing are taken by another establishment of the controller in the EU/EEA, the latter should be considered the main establishment.[10]
Identifying the lead supervisory authority (LSA)
General principles
If a controller or a processor has establishments in more than one Member State, identifying its “main establishment” is the first step to recognize the LSA in a cross-border processing.[11] The EDPB stresses that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment according to objective criteria and subsequently determine the LSA.
EDPB provided following, not exhaustive list of questions to determine a controller’s main establishment: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross-border processing located? Where is the controller or processor registered as a company, if in a single territory?”.[12]
The conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review. The controllers and processors have to demonstrate where the relevant processing decisions are taken and where there is the power to implement such decisions. SAs can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required. The burden of proof is with the controllers and processors. [13] Therefore the designation of one of several establishments in different Member States as the main establishment in the organizational chart is not sufficient to establish the LSA competence under Article 65(1) GDPR.[14]
Example: Company X has designated a mailbox company in Estonia in organisational chart as its central administration, while all decisions regarding cross-border processing are made and enforced by its establishment located in France. The LSA is the French SA and not the Estonian SA.
The main establishment is determined for each cross-border processing activity separately. This means that where different establishments are in charge of making decisions about different categories of cross-border processing, for example one for processing of customers’ data for advertising purposes and another for processing of employees’ data, and can also enforce their decisions, different LSAs will be in charge for each cathegory of cross-border processing.
Example: Bike rental company XT has establishments in Germany, Austria and Hungary. Exclusively the establishment in Hungary is in charge of advertising, and the establishment in Austria for all decisions related to human resources. In this case the LSA for processing related to advertising is the Hungarian SA and for processing of employees data the Austrian SA.
Companies can avoid situations leading to competence of different LSAs for different cross-border processing activities by putting one undertaking in charge of all decisions that are of data-protection relevance.[15]
Identifying the LSA in specific cases of cross-border processing
Cases involving both controller and processor
In cases involving both the controller and the processor, the competent LSA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per Article 4(22) GDPR. However, this is not the case if the draft decision concerns only the controller (Recital 36 GDPR). In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.[16]
Cases involving joint controllers
The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the LSA. However, according to Article 26(1) GDPR, the controllers have to in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR. EDPB considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.[17] This could also be supported by the wording of Recital 79 GDPR, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.[18]
Cases where decisions are made outside EU/EEA
Some difficulties may arise when none of the EU/EEA establishments are making decisions about the processing (even with a headquarter in the EU/EU/EU/EEA). In such a case, significantly called “borderline cases” by the EDPB,[19] the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU/EEA to benefit from the one-stop shop, forum shopping should be avoided. The idea of the one-stop shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment making the decisions on the processing. When the latter is located outside EU/EEA, such controller cannot profit from the one-stop-shop mechanism for cross-border processing and must deal with local SAs in every Member State concerned.[20]
Conflict of competence between supervisory authorities (SAs)
In case of “conflicting views” on which of the SA concerned is the LSA, the EDPB adopts a decision under the dispute resolution mechanism (Article 65(1)(b) GDPR). It seems that the decision on a conflicting view can only be taken within a specific procedure under Article 65(1)(b) GDPR and conflicting views on the LSA cannot be addressed via a reasoned objection within a procedure under Article 65(1)(a) GDPR. In its decision on the dispute resolution mechanism in case Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.”[21]
Change of main establishment
GDPR does not address change of main establishment in the course of cooperation and consistency mechanism, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.[22] Thus, its competence is not definite until the very end of the procedure.[23] The EDPB stressed that to prevent “forum shopping”, “SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case”.[24] While EDPB guidelines are useful, there are doubts about the chosen solution and its effectiveness.[25] At the same time this solution prevents problems of enforceability of LSA decisions in another Member State, which would emerge if the competence would be linked to the time when the complaint was lodged.
Cross-Border Processing
One of the conditions for triggering the competence of the LSA and the cooperation mechanism of Article 60 GDPR is the existence of a cross-border processing. The definition of cross-border processing is provided by Article 4(23) GDPR which stipulates that such a processing takes place in the context of the activities[26] of either (a) establishments in more than one Member State of a controller or processor in the EU/EEA where the controller or processor is established in more than one Member State; or (b) a single establishment of a controller or processor in the EU/EEA which substantially affects[27] or is likely to substantially affect data subjects in at least one other Member State.
Example: Bike rental company XT has establishments in Hungary, Austria and Slovenia. Decision on processing, e.g. data that is collected, purposes for which it can be used and for how long it is stored, are made in Austria and implemented in every establsihment. Example: Company TX from Checz Republic is providing online services to customers from all over EU/EEA and in for that purpose collecting and storing their data.
On the other hand, the processing by a controller only established in one Member State which substantially only affects the individuals in this Member State will not meet the conditions.
Example: A Polish company, which is a branch of a Swedish company, processes human resources data of its employees alone, the processed data relates only to its employees and any decision about the purposes and means of this processing is taken by the Polish company, e.g. the Human resources policy, and also the servers on which these data are held is in Poland. There is no cross-border processing and Article 56 of the GDPR does not apply in this case.[28]
For more information, please, refer to the commentary to Article 4(23) GDPR.
Main Establishment
(2) Derogation for cases of a local nature
Article 56(2) GDPR introduces an exception (“by derogation”) to the general competence of the SA of the main establishment for cases of cross-border processing under first paragraph ("from paragraph 1"). Article 56(2) GDPR provides that a SA which is not the LSA is to be competent to (a) handle a complaint lodged with it concerning a cross-border processing of personal data or (b) a possible infringement of the GDPR, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. In particular, a case is local in nature if the controller is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single state and involves only data subjects in that state, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State (Recital 127). EDPB adopted Internal EDPB Document 1/2019 on procedural steps to be applied by SAs for handling of cases that potentially relate to cross-border processing and in particularly cases with only local impacts under Article 56.2 GDPR ("EDPB Internal Document").[29]
Example: Due to repeated thefts occurring in a store located in France, of a retail company established in several Member States, the Italian headquarters decides to use video surveillance for the store in France. Since the Italian establishment determines the purposes and means of this monitoring system, this is a cross-border processing and the controller’s main establishment is in Italy. If a French employee (or a customer) lodges a complaint regarding the use of the surveillance-camera with the French SA, the SA may find that this case is of local nature, since no other establishment, except the French, makes use of video-surveillance.[30]
On the contrary, the resolution of a case of video surveillance systems implemented in stores in more than one Member States, as a matter of general policy, which infringes GDPR’s provisions, for example due to allegedly excessive retention period of the video surveillance data, is not only relating to the establishment located in one Member State.[30] According to the EDPB "[t]o be considered as a local case, the actual impact of it should be limited to data subjects residing in the SA’s Member State."[31]
Example: An online retail company sells products that can be delivered throughout EU/EEA. The website provides information about the processing of personal data in many languages used in the EU/EU/EEA. The Islandic linguistic version is incomplete and this language is spoken only in a single Member State Iceland. In this situation, the case could be considered as having only local impacts in the SA’s territory.
If the SA considers that the case is likely to impact individuals in another Member State, it should consider that this is not a local case.
Example: An online order form from a retail company requires that all customers (located in several Member States) provide information that is not necessary to deliver the products. The subject matter of the case as well as the resolution of this case will substantially affect data subjects in several Member States.
Also a case about a cross-border processing that is in line with the GDPR but infringes the national legislation could have only local impacts.
Example: The Italian main establishment of a company decides to implement video-surveillance in each of its establishments. The French national law about video-surveillance in public space provides that the images should not be stored more than one month, and the retention period of data is excessive only according to this national law, the resolution of the case would be only relating to the local establishment and would concern only data subjects in France.[32]
The competence of local SAs in local cases reflects one of the principles of the GDPR, namely the principle of proximity as an important aspect of the protection of individuals rights.[33] Nevertheless, the local SA will handle a case with a subject matter of a local nature only, if the LSA does not decide to handle it (see below).
(3) Involvement of the lead supervisory authority (LSA)
Under Article 56(3) GDPR, in the event of a “local case” under Article 56(2) GDPR, the SA must inform the LSA “without delay” on that matter. The LSA must respond within a period of three weeks whether or not it will handle the case. To make this decision, the (L)SA will take into account of the presence of an establishment of the controller or processor in the Member State of which the SA informed it. The existence of an establishment in the Member State of the local SA is to be taken into account, “in order to ensure effective enforcement of a decision vis-à-vis the controller or processor.”[34] According to the EDPB Internal Document 1/2019 the (L)SA should also take into account whether the case raises a new matter of principle which has not yet been resolved at the European level.[35] In its Internal Document the EDPB clarifies that a matter has been addressed at European level, when it has been decided on the merits, either by the LSA following the cooperation procedure, or by the European Data Protection Board (EDPB) or by the case law of the CJEU or the European Court of Human Rights.[36]
In the event that the LSA does not decide within the three week period whether it will handle the case the local SA can trigger the mutual assistance procedure under Article 61 GDPR, in order to receive an answer from the LSA. Followed by a request to obtaining an opinion from the EDPB under Article 64(2) GDPR, if the LSA does not comply with the obligations for mutual assistance within one month.[37]
(4) Lead supervisory authority (LSA) takes the lead
If the LSA decides to handle the case, the one-stop shop procedure introduced in Article 60 GDPR is triggered. However, the SA which informed the LSA about the subject matter may submit to the LSA a draft for a decision. According to the EDPB Internal Guidelines the LSA must take at most account of that draft, "except where there are specific, overriding reasons preventing it."[38] The local SA remains in a strong position since it can still suggest a draft decision to the LSA, which is in general competent to draw up a draft decisions in accordance with Article 60(3) GDPR.For more information see commentary to Article 60 GDPR.
Paragraphs 4 and 5, in contrast to paragraphs 2 and 3, does not make any reference to local cases. Therefore one possible interpretation of these two paragraphs is, that they do not apply only in local cases but in any cross-border case, where the LSA in fact does not act and does not handle the case as it is obliged to under Article 60 GDPR.[39] This means that the SA where the complaint was lodged is also competent to handle the cross-border case according to Article 61 GDPR and Article 62 GDPR, if the LSA fails to handle the case. (see paragraph 5 below).
(5) Local supervisory authority handles the case
If the LSA decides not to handle a local case, Article 56(5) GDPR provides that the SA which triggered the procedure handles it according to Article 61 GDPR and Article 62 GDPR. Those provisions require the SAs to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned. EDPB Internal Document 1/2019 forsees that the local SA exercises its full range of powers pursuant to Article 58 GDPR, including the corrective powers. Also, "when the cross-border case is handled “locally”, the LSA is not the sole interlocutor of the controller or processor" as provided for in Article 56(6) GDPR (see below).[40]
Paragraph 5, just as paragraph 4 and contraty to paragraphs 2 and 3, does not in any way refer to local cases it can be argued that it can be applied also in case of inactivity of the LSA. The SA that informed the LSA about the assumed infringement of the GDPR relating to cross-border processing that would require the LSA to handle the case in accordance with procedure prvided in Article 60 GDPR, was obliged to handle it ("shall handle it"), if the LSA failed to do so (see also commentary to paragraph 4 above).
(6) The lead supervisory authority (LSA) as the sole interlocutor of the controller or the processor
Article 56(6) GDPR provides that the LSA is the sole interlocutor of the controller or the processor. That means that, in case of cross-border processing, the communication should exclusively take place with the LSA, to avoid that the controller or processor would have multiple discussions with several SAs. In addition to relief from bureaucratic burdens, the "[e]xclusive contacts with a controller or processor are a means to streamline the procedure."[41]
At the same time, in relation to other CSAs, the LSA "must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned."[42]
Article 56 GDPR does not specify whether the LSA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5) GDPR. The EDPB Internal Document 1/2019 suggests that "when the cross-border case is handled “locally”, the LSA is not the sole interlocutor of the controller or processor".[43] However, not all scholars share this view.[44] Some scholars suggest a pragmatic approach to avoid communication issues with the controller or processor.[45]
This provision is not determining data subject's contact point. According to Article 77(1) GDPR, the data subject can contact a SA of his choice when filing a complaint and the SA whit which the complaint was lodged stays his pont of contact throughout the procedure.
Decisions
→ You can find all related decisions in Category:Article 56 GDPR
References
- ↑ The GDPR applies for all states of EEA. This includes all EU member states, Iceland, Liechtenstein and Norway. For more information see Article 1 GDPR.
- ↑ The EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR is available here.
- ↑ See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 917 and 918 (Oxford University Press 2020). See also Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
- ↑ See, Robert, Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017).
- ↑ EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, summary and pages 5-11, available here.
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here).
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available here).
- ↑ Tosoni, The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraph 27, available here.
- ↑ For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available here).
- ↑ Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraphs 25 and 26, available here.
- ↑ EDPB, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraph 37 (available here). See also Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, pages 5-11 (available here).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 7 (C.H. Beck 2018).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 8 (C.H. Beck 2018).
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available here.
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available here.
- ↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, Section 2.2, available here.
- ↑ See EDPB Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR, pages 5-11, available here.
- ↑ In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available here).
- ↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920.
- ↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, pages 920-921 (Oxford University Press 2020).
- ↑ The meaning of “the context of the activities” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment" (CJEU, 13 May 2014, Google Spain, C-131/12 (available here); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available here). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available here).
- ↑ The notion of “substantial effect” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available here).
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 6, available here.
- ↑ Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, available here.
- ↑ 30.0 30.1 See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 8, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 9, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 10, available here.
- ↑ See Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 14 (C.H. Beck 2017); and Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 921 (Oxford University Press 2020).
- ↑ Recital 127.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 10, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 13, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 14, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available here.
- ↑ xxxx
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available here.
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 924 (Oxford University Press 2020).
- ↑ CJEU, C-645/19 - Facebook c. APD, paragraph 64, available here.
- ↑ See Internal EDPB Document 1/2019 on handling cases with only local impacts under Article 56.2 GDPR, version 2.0, page 15, available here. See also Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 56 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).
- ↑ See for example Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 56 GDPR, margin number 16 (Nomos 2019). See also Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 924 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 92 Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.