Appointing a GDPR Lead Supervisory Authority

The GDPR defines a Supervisory Authority as an independent public authority responsible for checking compliance with GDPR, assisting establishments to become compliant with GDPR, and carrying out investigations into non-compliance with GDPR requirements. The supervisory authority is also the entity that must be informed when a breach of the personal information of data subjects occurs.

The Lead Supervisory Authority is the primary data security regulator and has the responsibility of handling cross-border processing of data. The primary objective of appointing a lead supervisory authority is to have just one entity to contact. Without a Lead Supervisory Authority, a business that operates in multiple member states would be required to contact the Supervisory Authority in each member state.

For the majority of organizations, selecting a GDPR Lead Supervisory Authority is a simple decision. A firm based in Dublin would designate the supervisory authority in Ireland as its Lead Supervisory Authority. A firm based in the UK would pick the Information Commissioner’s Office (ICO), which is the sole Supervisory Authority in the UK.

For organizations with operations in several EU member states, the Lead Supervisory Authority is typically the supervisory authority in the EU member state where the firm’s headquarters or main business is located. More specifically, the Lead Supervisory Authority should be in the member state where the final decisions are made about data collection and data processing.

A U.S firm that does not have a base in an EU member state cannot appoint a Lead Supervisory Authority. Even if a business has an agent in an EU member state, that doesn’t trigger the one-stop-shop mechanism. That means the company will be required to work with the Supervisory Authority in every single member state where it does business through its local representative.

For some organizations, particularly those which operate in a number of EU member states, choosing the lead supervisory authority can be complicated. The Article 29 Data Protection Working Party responded to misunderstandings over the appointment of an LSA by creating guidelines – in PDF form – which can be viewed on this link.