Article 56 GDPR: Difference between revisions

Revision as of 16:33, 11 March 2022

← Article 56 - Competence of the lead supervisory authority →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 56 - Competence of the lead supervisory authority

1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

Relevant Recital

Recital 36: Determination of the Main Establishment

The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

Recital 124: Lead Supervisory Authority and Cooperation

Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

Recital 125: Competences of the Lead Supervisory Authority

The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.

Recital 126: Joint Decision and Enforcement

The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.

Recital 127: Joint Operations Regarding Local Processing

Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay about the matter. After being informed, the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level. When deciding whether it will handle the case, the lead supervisory authority should take into account whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to handle the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.

Recital 128: No Lead Supervisory Authority for Processing Carried Out by Public Authorities or Private Bodies in the Public Interest

The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.

Commentary

In cross-border cases (Article 4(23) GDPR), all SAs could potentially be competent according to Article 55 GDPR. For this reason, Article 56(1) GDPR establishes a specific mechanism to solve the conflicting competences of the SAs involved. In particular, the provision identifies a lead supervisory authority ("LSA"), which is the SA where the controller or the processor have their main establishment (Article 4(16) GDPR). The LSA exercises its powers and performs its tasks in cooperation with the other SAs involved. Under Article 56(2-6) GDPR the LSA's competence can be lifted if the cross-border processing at stake has only a local impact. In any event, pursuant to Article 56(6) GDPR, whenever an LSA is validly appointed, it shall be the sole interlocutor of the controller or processor.

(1) Designation of the Lead SA and The Cooperation Mechanism

As mentioned above, Article 55 GDPR confirms the general rule that breaches of data protection law occurring in a given Member State are investigated and possibly punished by the independent authority of that Member State. However, the processing of personal data often presents transnational features due, for example, to the existence of several establishments of the data controller within the territory of the Union. In such circumstances, the general rule of Article 55 would require each independent authority to take a position on a certain processing of personal data, with the obvious consequence of possible inconsistencies of application in case of divergent decisions. This would be in contradiction with one of the main objectives of the GDPR, namely to "ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States" (Recital 10). In that view, Article 56 provides for an alternative decision-making procedure under two conditions: (i) the processing is of a cross-border nature, and (ii) the controller or processor has a main establishment in the EU. Where these conditions are met, Article 56 transfers part of the powers and tasks originally assigned to the (lead) SA where the main establishment of the controller or processor is located.^[1]

Cross-Border Processing

According to the wording of Article 56(1) GDPR, one of the conditions for triggering the the competence of the lead SA and the cooperation mechanism of Article 60 GDPR is the existence of a cross-border processing. The definition of cross-border processing is provided by Article 4(23) GDPR which stipulates that such a processing takes place in the context of the activities^[2] of either (a) establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) a single establishment of a controller or processor in the Union but which substantially affects^[3] or is likely to substantially affect data subjects in more than one Member State. In other words, the processing by a controller only established in one Member State which substantially only affects the individuals in this Member State will not meet the condition. one-stop-shop procedure under Article. In all other cases, the processing shall be considered as cross-border, if there is at least one establishment of the controller in the EU and if the activities of this establishment are linked to the processing at stake.

Main Establishment

Recital 22 GDPR, following the CJEU ruling in Weltimmo defines “establishment” as “the effective and real exercise of activity through stable arrangements”.^[4] The legal form of such arrangements is irrelevant. As the Court further specified, the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.^[5] The GDPR introduces separate criteria for the main establishment of a processor and of a controller.

Main Establishment of the Controller

As a general rule, as per Article 4(16)(a) GDPR, the main establishment of a controller is the place of its central administration in the Union. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when “the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”. In other words, in order to determine the main establishment of a controller, it is necessary to first find its place of central administration – “the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented”.^[6] If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to identify the establishment where “the effective and real exercise of management activities that determine main decisions as to the purposes and means of processing through stable arrangements, take place”.^[7] The presence and use of technical means and technologies for processing personal data or processing activities do not in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. See Recital 36 GDPR.

Main Establishment of the Processor

Similarly to provisions of Article 4(16)(a) GDPR regarding the controller, a main establishment of a processor with establishments in more than one Member State is a place of its central administration. If cases where the processor has no central administration in the Union, the GDPR provides a different alternative than the one applicable to the controller: if the processor does not have a central administration in the Union, its main establishment is the place where the main processing activities take place in the Union (i) in the context of the activities of an establishment of the processor take place and (ii) to the extent that the processor is subject to specific obligations under this Regulation. As Tosoni argues, it introduces two qualifications: the first one “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment, and the second confirming the scope of application of the GDPR to processors.^[8]

Other Cases

In cases involving both the controller and the processor, the competent lead SA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per Article 4(22) GDPR. However, this is not the case if the draft decision concerns only the controller. See Recital 36 GDPR. In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.^[9]

The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the lead SA. However, according to Article 26(1) GDPR, the controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation. The Article 29 Working Party considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.^[10] This could also be supported by the wording of Recital 79 GDPR, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.^[11]

Identifying the LSA

If a controller or a processor has establishments in more than one Member States, identifying its “main establishment” is the first step to recognize the lead supervisory authority in a cross-border processing.^[12]

The Article 29 Working Party stressed that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment of a controller according to objective criteria and subsequently determine the lead authority. According to the A29WP guidelines, “conclusions cannot be based solely on statements by the organisation under review. The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions. (...) The lead supervisory authority, or concerned authorities, can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required.”^[13]

The Article 29 Working Party developed a following, not exhaustive list of questions to determine a controller’s main establishment: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross border processing located? Where is the controller or processor registered as a company, if in a single territory?”.^[14] It will indeed always be the SA which should determine where is the main establishment of the controller, who always bear the burden of proof to show evidence that the relevant decisions are taken. The SA can object to the analysis of the controller on the basis of an objective examination of the relevant facts, and on the basis of further information requested to the controller.^[15]

In the case of a group of undertaking with a headquarter in the EU, the main establishment will be presumed to the decision-making center relating to the processing of personal data.^[16] However, if the decisions relating to the processing are taken by another establishment of the controller in the Union, the later should be considered the main establishment.^[17] Some difficulties may arise when none of the EU establishments are taking decisions about the processing (even with a headquarter in the EU). In such a case, significantly called “borderline cases” by the Article 29 Working Party^[18], the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU to benefit from the one-stop-shop, forum shopping should be avoided and it would be too easy to pretend that decision-making is made in the EU while the decisions are actually taken in another establishment outside of the EU. The idea of the one-shop-shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment taking the decisions on the processing. However, the conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review.^[19]

In case of “conflicting views” on which of the SA concerned is the lead SA, the EDPB can adopt a decision under the dispute resolution mechanism according to Article 65(1)(b) GDPR. However, in its decision on dispute resolution mechanism regarding the case of Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.^[20] It seems therefore that the decision on a conflicting view can only be taken within a specific procedure under Article 65(1)(b) GDPR and that conflicting views on the lead SA cannot be addressed via a reasoned objection within a procedure under Article 65(1)(a) GDPR.

In case of change of main establishment in the course of a cooperation between the SAs, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.^[21] Consequently, its competence is not definite until the very end of the procedure.^[22] The EDPB stressed that to prevent “forum shopping”, “SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case”.^[23]

(2)-(5) Data Processing Relating Only to one Member State

Article 56(2) GDPR introduces an exception to the general competence of the SA of the main establishment. Article 56 GDPR which provides that a supervisory authority which is not the lead supervisory authority is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. While the intention of the legislator seems to give a clear preference for local cases to be handled by the local SA, the text of the provisions is confusing and not clear.^[24]

Under Article 56(3) GDPR, in the event of a “local case” under Article 56(2) GDPR, the supervisory authority should inform the lead SA “without delay” on that matter. The lead SA shall respond within a period of three weeks whether or not it will handle the case. Article 56(3) GDPR To take this decision, the lead SA will take into account of the presence of an establishment of the controller or processor in the Member State of which the SA informed it. it is however not clear how this provisions shall apply in practice.

If the lead SA decides to handle the case, then the one-stop-shop procedure introduced in Article 60 GDPR is triggered. However, the supervisory authority which informed the lead SA about the subject matter may submit to the LSA a draft for a decision and the LSA shall take utmost account of that draft (Article 56(4)). The local SA remains in a strong position since it can still suggest a draft decision to the lead SA, which is in general competent to issue such decisions. Article 56(2) does not provide any mechanism similar to Article 65(1) GDPR, according to which the EDPB can decide in case of conflicting views on the lead SA.

Finally, if the LSA decides not to handle the case, Article 56(5) GDPR provides that the supervisory authority which raised the exception shall handle it according to Articles 61, 62 GDPR those provisions requiring the supervisory authorities to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned.

(6) The Lead SA as the Sole Interlocutor of the Controller or the Processor

Article 56(6) GDPR provides that the lead SA will remain the sole interlocutor of the controller or the processor. That means that the communication should exclusively take place with the lead SA, to avoid that the controller or processor would have multiple discussions with several SAs. However, while the competence as a general rule of the lead supervisory authority is confirmed in Article 56(6) GDPR, “that authority must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned. In particular, the lead supervisory authority cannot, in the exercise of its competences, as stated in paragraph 53 of the present judgment, eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned”.^[25] Article 56 GDPR does not specify whether lead SA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5) GDPR. A pragmatic approach would definitively avoid communication issues with the controller or processor.^[26]

Decisions

→ You can find all related decisions in Category:Article 56 GDPR

References

↑ This is a genuine derogation from the general rules of Article 55 which, however, is partial in nature. In the first place, in fact, the GDPR itself provides for hypotheses in which the derogation itself is not applicable as provided for in the case of urgency under Article 66 (CJEU, 15 June 2021, Facebook Ireland and Others, C-645/19, margin number 58 f. (available here), or where processing is carried out by public authorities or private bodies under Article 55(2) GDPR. See, Robert, Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017). Secondly, even if the derogation applies, the transfer of competencies is not total. As we will see below, in fact, even if the LSA is in charge of directing the investigation and decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority.
↑ The meaning of “the context of the activities” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment" (CJEU, 13 May 2014, Google Spain, C-131/12 (available here); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available here). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available here).
↑ The notion of “substantial effect” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available here).
↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here).
↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 6 (available here).
↑ Tosoni, The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 9 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
↑ Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available here).
↑ Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.1
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available here).
↑ For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).
↑ In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available here).
↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920.
↑ EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).
↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 921-923.
↑ CJEU, 15 June 2021, Facebook c. APD, C-645/19, § 64.
↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.

[1] This is a genuine derogation from the general rules of Article 55 which, however, is partial in nature. In the first place, in fact, the GDPR itself provides for hypotheses in which the derogation itself is not applicable as provided for in the case of urgency under Article 66 (CJEU, 15 June 2021, Facebook Ireland and Others, C-645/19, margin number 58 f. (available here), or where processing is carried out by public authorities or private bodies under Article 55(2) GDPR. See, Robert, Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017). Secondly, even if the derogation applies, the transfer of competencies is not total. As we will see below, in fact, even if the LSA is in charge of directing the investigation and decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority.

[2] The meaning of “the context of the activities” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment" (CJEU, 13 May 2014, Google Spain, C-131/12 (available here); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available here). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available here).

[3] The notion of “substantial effect” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available here).

[4] CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here).

[5] CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available here).

[6] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).

[7] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 6 (available here).

[8] Tosoni, The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.

[9] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 9 (available here).

[10] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).

[11] EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).

[12] Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available here).

[13] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available here).

[14] Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.1

[15] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).

[16] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available here).

[17] For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available here).

[18] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).

[19] WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available here).

[20] In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available here).

[21] EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).

[22] Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920.

[23] EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available here).

[24] Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 921-923.

[25] CJEU, 15 June 2021, Facebook c. APD, C-645/19, § 64.

[26] Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

@@ Line 213: / Line 213: @@
 As mentioned above, Article 55 GDPR confirms the general rule that breaches of data protection law occurring in a given Member State are investigated and possibly punished by the independent authority of that Member State. However, the processing of personal data often presents transnational features due, for example, to the existence of several establishments of the data controller within the territory of the Union. In such circumstances, the general rule of Article 55 would require each independent authority to take a position on a certain processing of personal data, with the obvious consequence of possible inconsistencies of application in case of divergent decisions. This would be in contradiction with one of the main objectives of the GDPR, namely to "''ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States''" (Recital 10). In that view, Article 56 provides for an alternative decision-making procedure under two conditions: (i) the processing is of a cross-border nature, and (ii) the controller or processor has a main establishment in the EU. Where these conditions are met, Article 56 transfers part of the powers and tasks originally assigned to the (lead) SA where the main establishment of the controller or processor is located.<ref>This is a genuine derogation from the general rules of Article 55 which, however, is partial in nature. In the first place, in fact, the GDPR itself provides for hypotheses in which the derogation itself is not applicable as provided for in the case of urgency under Article 66 (CJEU, 15 June 2021, Facebook Ireland and Others, C-645/19, margin number 58 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]), or where processing is carried out by public authorities or private bodies under Article 55(2) GDPR. See, ''Robert,'' Les autorités de contrôle dans le nouveau règlement général, in Docquir, Vers un droit européen de la protection des données, margin numbers 57-60 (Larcier, 2017). Secondly, even if the derogation applies, the transfer of competencies is not total. As we will see below, in fact, even if the LSA is in charge of directing the investigation and decision-making process, it is still obliged to ensure dialogue with the other SAs and to take their positions into consideration as a matter of priority.</ref>
-==== (i) Cross-Border Processing ====
+==== Cross-Border Processing ====
-According to the wording of Article 56(1) GDPR, one of the conditions for triggering the the competence of the lead SA and the cooperation mechanism of [[Article 60 GDPR]] is the existence of a cross-border processing.
+According to the wording of Article 56(1) GDPR, one of the conditions for triggering the the competence of the lead SA and the cooperation mechanism of [[Article 60 GDPR]] is the existence of a cross-border processing. The definition of cross-border processing is provided by [[Article 4 GDPR|Article 4(23) GDPR]] which stipulates that such a processing takes place in the context of the activities<ref>The meaning of “t''he context of the activities''” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “''in the context of the activities” of that establishment"'' (CJEU, 13 May 2014, Google Spain, C-131/12 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-131/12 here]); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]). The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection. See, See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> of either (a) establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) a single establishment of a controller or processor in the Union but which substantially affects<ref>The notion of “''substantial effect''” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data. See, WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> or is likely to substantially affect data subjects in more than one Member State. In other words, the processing by a controller only established in one Member State which substantially only affects the individuals in this Member State will not meet the condition. one-stop-shop procedure under Article. In all other cases, the processing shall be considered as cross-border, if there is at least one establishment of the controller in the EU and if the activities of this establishment are linked to the processing at stake.
+==== Main Establishment ====
+Recital 22 GDPR, following the CJEU ruling in ''Weltimmo'' defines “establishment” as “''the effective and real exercise of activity through stable arrangements''”.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref>  The legal form of such arrangements is irrelevant. As the Court further specified, the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref> The GDPR introduces separate criteria for the main establishment of a processor and of a controller.
-The definition of cross-border processing is provided by [[Article 4 GDPR|Article 4(23) GDPR]] which stipulates that such a processing takes place in the context of the activities of either (a) establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
+===== Main Establishment of the Controller =====
+As a general rule, as per Article 4(16)(a) GDPR, the main establishment of a controller is the place of its central administration in the Union. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when ''“the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”''. In other words, in order to determine the main establishment of a controller, it is necessary to first find its place of central administration – “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to identify the establishment where “''the effective and real exercise of management activities that determine main decisions as to the purposes and means of processing through stable arrangements, take place''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> The presence and use of technical means and technologies for processing personal data or processing activities do not in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. See Recital 36 GDPR.
-In other words, the processing by a controller only established in one Member State which substantially only affects the individuals in this Member State will not meet the condition. one-stop-shop procedure under Article. In all other cases, the processing shall be considered as cross-border, if there is at least one establishment of the controller in the EU and if the activities of this establishment are linked to the processing at stake.
+===== Main Establishment of the Processor =====
+Similarly to provisions of [[Article 4 GDPR|Article 4(16)(a) GDPR]] regarding the controller, a main establishment of a processor with establishments in more than one Member State is a place of its central administration. If cases where the processor has no central administration in the Union, the GDPR provides a different alternative than the one applicable to the controller: if the processor does not have a central administration in the Union, its main establishment is the place where the main processing activities take place in the Union (i) in the context of the activities of an establishment of the processor take place and (ii) to the extent that the processor is subject to specific obligations under this Regulation. As Tosoni argues, it introduces two qualifications: the first one “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment, and the second confirming the scope of application of the GDPR to processors.<ref>''Tosoni'', The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.</ref>
-===== Context of the Activities =====
+===== Other Cases =====
-The meaning of “t''he context of the activities''” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “''in the context of the activities” of that establishment"''.<ref>CJEU, 13 May 2014, Google Spain, C-131/12 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-131/12 here]); and CJEU, 1 October 2015, Weltimmo, C-230/14 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]). </ref> The EDPB also confirmed that this notion should not be interpreted too restrictively considering the view to fulfil the objective of ensuring effective and complete protection.<ref>See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>
+In cases involving both the controller and the processor, the competent lead SA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per [[Article 4 GDPR|Article 4(22) GDPR]]. However, this is not the case if the draft decision concerns only the controller.  See Recital 36 GDPR. In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 9 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-===== Substantial Effect =====
+The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the lead SA. However, according to [[Article 26 GDPR|Article 26(1) GDPR]], the controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation. The Article 29 Working Party considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> This could also be supported by the wording of Recital 79 GDPR, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref>
-The notion of “''substantial effect''” on data subjects as mentioned by Article 4(23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Working Party 29 considered that the number of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis. The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 4 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
+==== Identifying the LSA ====
-==== (ii) Main Establishment ====
+If a controller or a processor has establishments in more than one Member States, identifying its “main establishment” is the first step to recognize the lead supervisory authority in a cross-border processing.<ref>Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-Recital 22 GDPR, following the CJEU ruling in ''Weltimmo'' defines “establishment” as “''the effective and real exercise of activity through stable arrangements''”.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref>  The legal form of such arrangements is irrelevant. As the Court further specified, the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-230/14 here]).</ref>
-If a controller or a processor has establishments in more than one Member States, identifying its “main establishment” is the first step to recognize the lead supervisory authority in a cross-border processing. Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations are done by different establishments of the controller.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
+The Article 29 Working Party stressed that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment of a controller according to objective criteria and subsequently determine the lead authority. According to the A29WP guidelines, “''conclusions cannot be based solely on statements by the organisation under review. The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions.'' (...) ''The lead supervisory authority, or concerned authorities, can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required''.”<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]). </ref>
-The Article 29 Working Party stressed that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment of a controller according to objective criteria and subsequently determine the lead authority. According to the A29WP guidelines, “''conclusions cannot be based solely on statements by the organisation under review. The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions.'' (...) ''The lead supervisory authority, or concerned authorities, can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required''.”<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]). </ref> The GDPR introduces separate criteria for the main establishment of a processor and of a controller.
+The Article 29 Working Party developed a following, not exhaustive list of questions to determine a controller’s main establishment: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross border processing located? Where is the controller or processor registered as a company, if in a single territory?”.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.1</ref> It will indeed always be the SA which should determine where is the main establishment of the controller, who always bear the burden of proof to show evidence that the relevant decisions are taken. The SA can object to the analysis of the controller on the basis of an objective examination of the relevant facts, and on the basis of further information requested to the controller.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-The SAs will cooperate to determine the lead authority. In the event of conflicting views on the lead supervisory authority, the case may be referred to the EDPB under Article 65(1)(b) GDPR.
+In the case of a group of undertaking with a headquarter in the EU, the main establishment will be presumed to the decision-making center relating to the processing of personal data.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> However, if the decisions relating to the processing are taken by another establishment of the controller in the Union, the later should be considered the main establishment.<ref>For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]).</ref> Some difficulties may arise when none of the EU establishments are taking decisions about the processing (even with a headquarter in the EU). In such a case, significantly called “borderline cases” by the Article 29 Working Party<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>, the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU to benefit from the one-stop-shop, forum shopping should be avoided and it would be too easy to pretend that decision-making is made in the EU while the decisions are actually taken in another establishment outside of the EU. The idea of the one-shop-shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment taking the decisions on the processing. However, the conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-===== Main Establishment of the Controller =====
+In case of “conflicting views” on which of the SA concerned is the lead SA, the EDPB can adopt a decision under the dispute resolution mechanism according to Article 65(1)(b) GDPR. However, in its decision on dispute resolution mechanism regarding the case of Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of [[Article 4 GDPR|Article 4(24) GDPR]].<ref>In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]). </ref> It seems therefore that the decision on a conflicting view can only be taken within a specific procedure under [[Article 65 GDPR|Article 65(1)(b) GDPR]] and that conflicting views on the lead SA cannot be addressed via a reasoned objection within a procedure under [[Article 65 GDPR|Article 65(1)(a) GDPR]].
-As a general rule, as per Article 4(16)(a) GDPR, the main establishment of a controller is the place of its central administration in the Union. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when ''“the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”''. In other words, in order to determine the main establishment of a controller, it is necessary to first find its place of central administration – “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to identify the establishment where “''the effective and real exercise of management activities that determine main decisions as to the purposes and means of processing through stable arrangements, take place''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> The presence and use of technical means and technologies for processing personal data or processing activities do not in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. See Recital 36 GDPR.
-===== Main Establishment of the Processor =====
-Similarly to provisions of [[Article 4 GDPR|Article 4(16)(a) GDPR]] regarding the controller, a main establishment of a processor with establishments in more than one Member State is a place of its central administration.
-If cases where the processor has no central administration in the Union, the GDPR provides a different alternative than the one applicable to the controller: if the processor does not have a central administration in the Union, its main establishment is the place where the main processing activities take place in the Union (i) in the context of the activities of an establishment of the processor take place and (ii) to the extent that the processor is subject to specific obligations under this Regulation. As Tosoni argues, it introduces two qualifications: the first one “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment, and the second confirming the scope of application of the GDPR to processors.<ref>''Tosoni'', The EU General Data Protection Regulation (GDPR), Article 4(16) GDPR, p. 235.</ref>
+In case of change of main establishment in the course of a cooperation between the SAs, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref> Consequently, its competence is not definite until the very end of the procedure.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920. </ref> The EDPB stressed that to prevent “''forum shopping''”, “''SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case''”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref>
 === (2)-(5) Data Processing Relating Only to one Member State ===
 Article 56(2) GDPR introduces an exception to the general competence of the SA of the main establishment. Article 56 GDPR which provides that a supervisory authority which is not the lead supervisory authority is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. While the intention of the legislator seems to give a clear preference for local cases to be handled by the local SA, the text of the provisions is confusing and not clear.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 921-923.</ref>
@@ Line 255: / Line 251: @@
 === (6) The Lead SA as the Sole Interlocutor of the Controller or the Processor ===
 Article 56(6) GDPR provides that the lead SA will remain the sole interlocutor of the controller or the processor. That means that the communication should exclusively take place with the lead SA, to avoid that the controller or processor would have multiple discussions with several SAs. However, while the competence as a general rule of the lead supervisory authority is confirmed in Article 56(6) GDPR, ''“that authority must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned. In particular, the lead supervisory authority cannot, in the exercise of its competences, as stated in paragraph 53 of the present judgment, eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned''”.<ref>CJEU, 15 June 2021, ''Facebook c. APD'', C-645/19, § 64.</ref> Article 56 GDPR does not specify whether lead SA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5) GDPR. A pragmatic approach would definitively avoid communication issues with the controller or processor.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.</ref>
-==== Identifying the LSA ====
-Article 56(6) GDPR provides that that the lead SA shall act as “''the sole interlocutor''” of the controller or the processor for the processing operations at stake. The lead SA will also lead the cooperation procedure with the SA concerned under Article 60 GDPR and adopt a draft decision.  According to the CJEU, ''“the competence of the lead supervisory authority for the adoption of a decision finding that such processing is an infringement of […] Regulation 2016/679 constitutes the rule, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception”.''<ref>CJEU, 15 June 2021, Facebook Ireland and Others, C-645/19, margin number 64 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref>
-In case of change of main establishment in the course of a cooperation between the SAs, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref> Consequently, its competence is not definite until the very end of the procedure.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920. </ref> The EDPB stressed that to prevent “''forum shopping''”, “''SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case''”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref>
-In case of “conflicting views” on which of the SA concerned is the lead SA, the EDPB can adopt a decision under the dispute resolution mechanism according to Article 65(1)(b) GDPR. However, in its decision on dispute resolution mechanism regarding the case of Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of [[Article 4 GDPR|Article 4(24) GDPR]].<ref>In this respect, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 52 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]). </ref> It seems therefore that the decision on a conflicting view can only be taken within a specific procedure under [[Article 65 GDPR|Article 65(1)(b) GDPR]] and that conflicting views on the lead SA cannot be addressed via a reasoned objection within a procedure under [[Article 65 GDPR|Article 65(1)(a) GDPR]].
-====== WP29 Position ======
-The Article 29 Working Party developed a following, not exhaustive list of questions to determine a controller’s main establishment in cases where it is not the place of its central administration in the EU: Where are decisions about the purposes and means of the processing given final “sign off”? Where are decisions about business activities that involve data processing made? Where does the power to have decisions implemented effectively lie? Where is the Director (or Directors) with overall management responsibility for the cross border processing located? Where is the controller or processor registered as a company, if in a single territory?”.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.1</ref>
-In the case of a group of undertaking with a headquarter in the EU, the main establishment will be presumed to the decision-making center relating to the processing of personal data.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref> However, if the decisions relating to the processing are taken by another establishment of the controller in the Union, the later should be considered the main establishment.<ref>For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland; see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, margin number 34 (available [https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/decision-012020-dispute-arisen-draft_ga here]).</ref>
-Some difficulties may arise when none of the EU establishments are taking decisions about the processing (even with a headquarter in the EU). In such a case, significantly called “borderline cases” by the Article 29 Working Party<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>, the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU to benefit from the one-stop-shop, forum shopping should be avoided and it would be too easy to pretend that decision-making is made in the EU while the decisions are actually taken in another establishment outside of the EU. The idea of the one-shop-shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment taking the decisions on the processing. However, the conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-It will indeed always be the SA which should determine where is the main establishment of the controller, who always bear the burden of proof to show evidence that the relevant decisions are taken. The SA can object to the analysis of the controller on the basis of an objective examination of the relevant facts, and on the basis of further information requested to the controller.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-====== Cases Involving Both the Controller and the Processor ======
-In cases involving both the controller and the processor, the competent lead SA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per [[Article 4 GDPR|Article 4(22) GDPR]]. However, this is not the case if the draft decision concerns only the controller.  See Recital 36 GDPR. In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 9 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>
-====== Joint Controllership ======
-The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the lead SA. However, according to [[Article 26 GDPR|Article 26(1) GDPR]], the controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation. The Article 29 Working Party considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, WP 244 rev.01, 5 April 2017, p. 8 (available [https://ec.europa.eu/newsroom/document.cfm?doc_id=44102 here]).</ref>  This could also be supported by the wording of Recital 79 GDPR, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, 9 July 2019, p. 30 (available [https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-82019-competence-supervisory-authority_en here]).</ref>
 ==Decisions==
 → You can find all related decisions in [[:Category:Article 56 GDPR]]