To begin with, among all 28 EU countries, every state needs to appoint at least one public authority that would be in charge of the GDPR implementation process. In other words, this means that the authority will be responsible for monitoring and controlling of GDPR practices in that particular region.
Furthermore, the main goal of the appointed regulator in every member state is to ensure compliance with the basic rights of data subjects while their personal information is being processed and transferred.
As a side note, it’s essential to understand that even if a country (member state) chooses to have several regulators, only one of them will be the main body that would represent this country during board meetings of all authorities in the EU; and it will be in charge of implementing compliance instruments and guiding other regulators in this state.
If you take ICO as an example of supervisory authority, you can think of its main responsibilities that lie with:
- supporting companies on their way to GDPR compliance, on the one hand, and teaching data subjects about their rights with regards to personal data processing, on the other hand;
- enforcing GDPR practices including but not limited to fining companies that breach the compliance;
- managing disputes between companies and data subjects that are related to subject access requests.
ٌWhether your business acts as a data controller or a data processor, if any, you are to handle a variety of requests for data from users of your product or service. Any user can express his concerns or dissatisfaction to the local authority and contact an agency in the country he is in.
A business may inform a user that he can complain and mentionan specific corporate communication channel that should be used before a complaint gets escalated to the authorities.
For instance, if a user (a data subject) plans to use any of his fundamental rights, he can send his request to the company first. The company then has 30 days to satisfy this request or reject it providing the reasons why it cannot be satisfied.
If a company fails to provide a timely clarification, then a data subject can file a complaint with the supervisory authority in his country. In this case, if a company is incorporated in the EU, then the supervisory authority in the user's country will connect with the supervisory authority of the company's incorporation country and investigate the case.
The notion of lead supervising authority
Good news is despite all the complexities on the surface, there’s a way that businesses can streamline solving the issues with data processing complaints. The concept worth mentioning when talking about supervisory authority and what it means for businesses is LSA which is short for lead supervising authority.
The latter becomes a single point of contact for e.g. multinational businesses that operate worldwide.
The benefit of LSA is that instead of having supervisory authority in each EU state, a company has the right to pick the main one who’d deal with all international data protection matters for it.
Who can assign a lead supervisory authority?
Any data controller or data processor has a right to choose among existing supervisory authorities just one as a lead supervisory authority, which after the selection, becomes its single point of contact for GDPR compliance related activities.
Where shall controllers and processors appoint lead supervisory authority?
Lead supervisory authority must be chosen in the EU state where the business has its main office, headquarters or central administration. So the location of SLA should be in the EU country where decisions about international operations are made; a company doesn’t have to choose one for its operations happening in locations other than the Union.
The main benefit for a company when choosing an LSA is an opportunity to cooperate with just one single supervisor.
What if a business has its HQ outside of the Union and has no offices in there?
In this particular situation, it is not possible for a business to choose a lead supervisory authority and therefore, the company will need to deal with different supervisory authorities in every country of the EU where any kind of data processing can affect data subjects.
A Canadian business, for instance, that has no established office in some EU country will have to tackle the challenge of addressing the data subjects’ requests that were submitted to different supervisory authorities one by one, with no single point of contact to assist with the filing.
According to Guidelines for identifying a controller or processor’s lead supervisory authority (p.3.3), if a business doesn’t have an office in the EU; it will have to cooperate with the supervisory authorities locally in each member state; such company won’t be able to harness the benefits of centralized request management available for those with European HQ through appointed lead supervisory authority.
Data subjects’ requests and lead supervisory authority
Now you must be wondering how it all works in practice. Imagine a data subject filing a complaint because he’s not happy about the ways you handle his personal data.
Even if this data subject reached out to a supervisory authority other than the main one you chose, this very supervisory authority conveys the message and the scope of the filing to the lead supervisory authority the business determined.
Attention: it should be done immediately, under GDPR. After, LSA decides who will be in charge of handling the request.
Now imagine this scenario. Your business as a data controller has to report personal data infringement of data subjects in multiple countries in the EU.
If you don’t have an office there, it simply means you have to knock the doors of different authorities all at once. And the burden gets even heavier since all the websites of such authorities, as well as notifications, need to be written in an official language (or a few eg for Belgium) of every particular country.
And according to GDPR, the timespan to do that is just 72 hours.
It would have been much easier if you had just one lead supervisory authority in the EU to report to, right?
Another situation that is even more mind-boggling is a data breach if your business is a 3rd party contractor acting as a data processor. Then, before the data infringement case gets reported, it goes to a data controller fist.
After, the controller records this personal data breach explaining the facts and related circumstances as well as the action plan. Only after this, the supervisory authority can evaluate compliance with the regulation.