Article 56 GDPR
Legal Text
1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).
5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.
6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
Relevant Recital
Commentary
In cross-border cases (Article 4(23) GDPR), several supervisory authorities (SA) could be competent according to Article 55 GDPR. For this reason, Article 56(1) GDPR establishes a specific mechanism to solve the conflicting competences of the SAs involved and ensure the consistent application of the GDPR (which would otherwise be undermined in case of conflicting decisions on the same subject matter). In particular, the provision identifies a lead supervisory authority (LSA), which is the SA where the controller or the processor have their main establishment or single establishment (Article 4(16) GDPR) in the European Ecnomic Area (EEA). The LSA exercises its powers and performs its tasks in cooperation with the other SAs involved. Under Article 56(2-6) GDPR, the LSA’s competence can be lifted if the cross-border processing at stake has only a local impact. In any event, pursuant to Article 56(6) GDPR, whenever an LSA is validly appointed, it shall be the sole interlocutor of the controller or processor.
EDPB Guidelines: on this Article, please see Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority
Article 56 GDPR makes a direct reference to Article 55 GDPR (Competence), Article 60 GDPR (cooperation between LSE and other SA concerned (CSA)), Article 61 GDPR (mutual assistance) and Article 62 GDPR (joint operations of SAs). Additional provisions that are closely related to Article 56 GDPR are Article 4(7) GDPR (definition of controller), Article 4(8) GDPR (definition of processor), Article 4(16) GDPR (definition of main establishment), Article 4(21) GDPR (definition of SA), Article 4(22) GDPR (definition of SA concerned(CSA)), Article 4(23) GDPR (definition of cross-border processing), Article 57 GDPR (tasks of SAs), Article 58 GDPR (powers of SAs), as well as Article 65 GDPR (dispute resolution by the board), Article 63 GDPR (consistency mechanism), Article 64 GDPR (opinion of the board), Article 66 GDPR (urgency procedure) and Article 67 GDPR (exchange of information).
(1) Designation of the Lead Supervisory Authority (LSA) and the Cooperation Mechanism
Article 55 GDPR confirms the general rule that breaches of data protection law occurring in a given member state are investigated and possibly punished by the independent authority of that member state. However, the processing of personal data often presents transnational features due, for example, to the existence of several establishments of the data controller within the territory of the EEA ("Union"). In such circumstances, the general rule of Article 55 GDPR would require each independent authority to take a position on a certain processing of personal data, with the obvious consequence of possible inconsistencies of application in case of divergent decisions. This would be in contradiction with one of the main objectives of the GDPR, namely to “ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States” (Recital 10 GDPR). In that view, Article 56 GDPR provides for an alternative decision-making procedure under two conditions: (i) the processing is of a cross-border nature, and (ii) the controller or processor has a main establishment or a single establishment in the EEA. Where these conditions are met, Article 56 GDPR, in conjunction with Article 60 GDPR and Article 65 GDPR, assigns part of the powers and tasks originally held by SAs under Article 55 GDPR to the (lead) SA where the main establishment or the single establishment of the controller or processor is located.[1]
Without prejudice to Article 55 GDPR
“Without prejudice to” presents a clarification that the derogation from the rules of Article 55 GDPR, by Article 56(1) with the one-stop-shop mechanism with the LSA, is only partial. First, it is not applicable where processing is carried out by public authorities or private bodies under Article 55(2) GDPR.[2] This can result in several SAs being competent with regard to a cross-border processing activity when a company is processing data to comply with statutory requirements and for commercial purposes.
Example: Spanish telecommunications company Y, with clients from all over Europe and the main establishment in France, is storing phone records for law enforcement purposes and to comply with its contractual obligations. With regard to the processing activities for law enforcement purposes the Spanish SA is the competent SA. For processing activities in the context of contractual services, such as billing, the French SA will act as the LSA.
Second, even if the derogation from Article 55 applies, other SAs concerned are not losing their competences, but are limited in carrying them out. LSA’s competence is not exclusive. In fact, even if the LSA is in charge of directing the investigation and the decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority. Moreover, LSA’s position on substance is no stronger than that of any other CSA. In case of dispute the consistency mechanism is triggered and EDPB adopts a binding decision under Article 65 GDPR.[3]
Supervisory authority competent to act
Under Article 56(1) GDPR the SA of the main establishment or single establishment of the controller or the processor is (“shall be”) competent to act for cross-border processing of that controller or processor.
Cross-Border Processing
One of the conditions for triggering the competence of the LSA and the cooperation mechanism of Article 60 GDPR is the existence of a cross-border processing. The definition of cross-border processing is provided by Article 4(23) GDPR which stipulates that such a processing takes place in the context of the activities[4] of either (a) establishments in more than one member state of a controller or processor in the EEA (Union) where the controller or processor is established in more than one member state; or (b) a single establishment of a controller or processor in the EEA (Union) but which substantially affects[5] or is likely to substantially affect data subjects in at least one other member state.
Example: Bike rental company XT has establishments in Hungary, Austria and Slovenia and processes customers’ data in Austria. Example: Company TX from Check Republic is providing online services to customers from all over European Union.
On the other hand, the processing by a controller only established in one member state which substantially only affects the individuals in this member state will not meet the conditions.
For detailed information, please, refer to the commentary to Article 4(23) GDPR.
Main Establishment
Establishment
Recital 22 GDPR, following the CJEU ruling in Weltimmo defines “establishment” as “the effective and real exercise of activity through stable arrangements”.[6] The legal form of such arrangements is irrelevant. The presence of only one representative can, in some circumstances.[7] For more details see commentary to Article 4(16) GDPR.
Main establishment
The GDPR introduces separate criteria for the main establishment of a processor and of a controller.
Main establishment of the controller
As a general rule, as per Article 4(16)(a) GDPR, the main establishment of a controller is the place of its central administration in the EEA. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when the decisions on the purposes and means of the processing of personal data are taken in another establishment in the EEA and the latter establishment has the power to have such decisions implemented.
For more information, see commentary on Article 4(16) GDPR and EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.
Main establishment of the processor
The main establishment of a processor with establishments in more than one member state is the place of its central administration. In cases where the processor has no central administration in the EEA, the GDPR provides that its main establishment is the place where the main processing activities take place in the EEA (i) in the context of the activities of an establishment of the processor and (ii) to the extent that the processor is subject to specific obligations under the GDPR. The first qualification “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment."[8] The second qualification confirms the scope of application of the GDPR to processors.
For more information, refer to commentary on Article 4(16) GDPR and EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.
Identifying the lead seupervisory authority (LSA)
If a controller or a processor has establishments in more than one member state, identifying its “main establishment” is the first step to recognize the LSA in a cross-border processing.[9] The EDPB stresses that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment according to objective criteria and subsequently determine the LSA. The conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review. According to the EDPB Guidelines 8/2022, “The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions. (...) The lead supervisory authority, or concerned authorities, can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required.”[10] The designation of one of several establishments in different member states as the main establishment in the organizational chart is not sufficient to establish the LSA competence under Article 65(1) GDPR.[11]
Example: Company X has designated a mailbox company in Estonia as main establishment, while all decisions regarding cross-border processing are made and enforced by its establishment located in France. The LSA is the French SA and not the Estonian SA.
It is always the SA which determines where the main establishment of the controller is located. The EDPB developed a following, not exhaustive list of questions to determine a controller’s main establishment: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross border processing located? Where is the controller or processor registered as a company, if in a single territory?”.[12] The main establishment is being determined for each cross-border processing activity separately. This means that if different establishments are in charge of making decisions about different categories of cross-border processing and enforcing them, for example one for processing of customers’ data and another for employees’ data, the competence of different LSAs is implied.
Example: Bike rental company XT has establishments in Hungary, Austria and Slovenia and processed customer data in Austria and employees’ data in Slovenia.
Companies can avoid situations leading to competence of different LSAs for different categories of cross-border processing by putting one undertaking in charge of all decisions that are of data-protection relevance.[13]
Group undertakings
In the case of a group of undertaking with a headquarter in the EU, the main establishment will be presumed to be the decision-making center relating to the processing of personal data.[14] However, if the decisions relating to the processing are taken by another establishment of the controller in the Union, the latter should be considered the main establishment.[15] Some difficulties may arise when none of the EU establishments are making decisions about the processing (even with a headquarter in the EU). In such a case, significantly called “borderline cases” by the Article 29 Working Party,[16] the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU to benefit from the one-stop shop, forum shopping should be avoided and it would be too easy to pretend that decision-making is made in the EU while the decisions are actually taken in another establishment outside of the EU. The idea of the one-stop shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment making the decisions on the processing. However, the conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review.[17]
In case of “conflicting views” on which of the SA concerned is the LSA, the EDPB can adopt a decision under the dispute resolution mechanism according to Article 65(1)(b) GDPR. However, in its decision on the dispute resolution mechanism regarding the case of Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.”[18] Consequently, it seems that the decision on a conflicting view can only be taken within a specific procedure under Article 65(1)(b) GDPR and that conflicting views on the LSA cannot be addressed via a reasoned objection within a procedure under Article 65(1)(a) GDPR.
In case of change of main establishment in the course of a cooperation between the SAs, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.[19] Consequently, its competence is not definite until the very end of the procedure.[20] The EDPB stressed that to prevent “forum shopping”, “SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case”.[21]
(2)-(5) Data Processing Relating Only to one Member State
Article 56(2) GDPR introduces an exception to the general competence of the SA of the main establishment. Article 56(2) GDPR provides that a SA which is not the LSA is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. While the intention of the legislator seems to give a clear preference for local cases to be handled by the local SA, the text of the provisions is confusing and not clear.[22]
Under Article 56(3) GDPR, in the event of a “local case” under Article 56(2) GDPR, the SA should inform the LSA “without delay” on that matter. The LSA shall respond within a period of three weeks whether or not it will handle the case. To make this decision, the lead SA will take into account of the presence of an establishment of the controller or processor in the Member State of which the SA informed it. However, it is not clear how this provision shall apply in practice.
If the LSA decides to handle the case, the one-stop shop procedure introduced in Article 60 GDPR is triggered. However, the SA which informed the LSA about the subject matter may submit to the LSA a draft for a decision and the LSA shall take utmost account of that draft (Article 56(4)). The local SA remains in a strong position since it can still suggest a draft decision to the LSA, which is in general competent to issue such decisions. Article 56(2) GDPR does not provide any mechanism similar to Article 65(1) GDPR, according to which the EDPB can decide in case of conflicting views on the LSA.
Finally, if the LSA decides not to handle the case, Article 56(5) GDPR provides that the SA which raised the exception shall handle it according to Articles 61, 62 GDPR. Those provisions require the SAs to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned.
EDPB Guidelines: on this provision, please see Guidelines 06/2022 for the practical application of the amicable settlement
(6) The Lead SA as the Sole Interlocutor of the Controller or the Processor
Article 56(6) GDPR provides that the LSA will remain the sole interlocutor of the controller or the processor. That means that the communication should exclusively take place with the LSA, to avoid that the controller or processor would have multiple discussions with several SAs. However, while the competence as a general rule of the LSA is confirmed in Article 56(6) GDPR, “that authority must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned. In particular, the lead supervisory authority cannot, in the exercise of its competences, as stated in paragraph 53 of the present judgment, eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned”.[23] Article 56 GDPR does not specify whether the LSA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5) GDPR. A pragmatic approach would definitively avoid communication issues with the controller or processor.[24]
Decisions
→ You can find all related decisions in Category:Article 56 GDPR
References
- ↑ This is a genuine derogation from the general rules of Article 55 GDPR which, however, is partial in nature. In the first place, the GDPR itself provides for hypotheses in which the derogation itself is not applicable as provided for in the case of urgency under Article 66 (CJEU, 15 June 2021, Facebook Ireland and Others, C-645/19, margin number 58 f. (available here), or where processing is carried out by public authorities or private bodies under Article 55(2) GDPR. See, Robert, Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017). Secondly, even if the derogation applies, the transfer of competencies is not total. In fact, even if the LSA is in charge of directing the investigation and the decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority.
- ↑ See, Robert, Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017).
- ↑ See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 56 GDPR, p. 917 and 918 (Oxford University Press 2020). See also Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
- ↑ The meaning of “the context of the activities” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment" (CJEU, 13 May 2014, Google Spain, C-131/12 (available here); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available here). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available here).
- ↑ The notion of “substantial effect” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available here).
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here).
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available here).
- ↑ Tosoni, The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.
- ↑ Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).
- ↑ EDPB, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraph 37 (available here).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 7 (C.H. Beck 2018).
- ↑ Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, version 2.1, paragraphs 25 and 26, available here.
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 56 GDPR, margin number 8 (C.H. Beck 2018).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
- ↑ In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available here).
- ↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920.
- ↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 921-923.
- ↑ CJEU, 15 June 2021, Facebook c. APD, C-645/19, § 64.
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 92 Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.