Razia Begum and Rachel Ashwood examine how the lead supervisory authority is determined for multi-national organisations that process HR data.
One of the key features of the GDPR is the principle that it will provide organisations with a ‘one-stop shop’ when dealing with international data protection matters.
What this means in practice for a multi-national organisation that processes HR data is that, instead of potentially having to deal with national regulatory authorities in each location where it processes data or where its employees are based, the GDPR will provide such an employer with the opportunity to appoint a Lead Supervisory Authority (LSA) that will deal with all relevant matters. The appeal of the ‘one-stop shop’ being that this will help avoid having to grapple with a host of different rules and enforcement procedures in different jurisdictions.
Once appointed, the LSA will be the authority with primary responsibility for dealing with cross-border data processing activity. Amongst other functions, the LSA will be the authority to which the multi-national employer will report any data breaches. It will also handle any investigations into complaints against the way that the employer handles personal data, as well as being the body that will make decisions about appropriate enforcement action against the employer. Determining who the LSA is will therefore involve legal considerations as well as practical and strategic ones.
What guidance do we have on LSAs?
The Article 29 Data Protection Working Party has produced a concise guideline document for identifying a controller or processor’s lead supervisory authority. The Guidelines put some ‘flesh on the bones’ of the LSA provisions at Article 56 of the GDPR.
Which employers are able to appoint a LSA?
Employers that carry out cross-border processing are able to appoint a LSA. Cross-border processing takes place where either:
In relation to Limb 2, the Guidelines provide some guidance on what ‘substantially affects’ means.
The Guidelines state that ‘substantially affects’ should be interpreted on a case-by-case basis and will take into account:
How do employers determine which is the relevant LSA in relation to its employment data?
The Guidelines contain a useful checklist for employers to help identify the relevant LSA.
What if an employer is located outside of the EU and has no establishments in the EU?
In this case, it is not possible for the employer to appoint a LSA and it must deal with the supervisory authority in each location where it operates and/or where any data processing affects its data subjects. This potentially leads to employers based outside the EU without an establishment with the headache of having to deal with a number of different supervisory authorities.
Can employers bypass the Guidelines in place for determining the LSA and select a different supervisory authority to be the LSA?
No – the Guidelines specifically outlaw ‘forum hopping’. In other words, it is not possible for an organisation to appoint a particular supervisory authority to be its LSA, eg on the basis that it reputedly takes a ‘lighter touch’ approach to enforcement measures as compared to another authority.
Why is it important to understand which authority is the LSA?
Under the GDPR, there are certain circumstances where the LSA must be notified. For example, notification is required when registering a data protection officer or in the event of a data breach. It is therefore key that the LSA is determined, to ensure that a business complies (in a timely manner) with all relevant obligations. Another reason for getting this issue right is that the new European Data Protection Board will have the power to investigate the nomination of a LSA and recommend that an alternative LSA is appointed.
What if a multi-national employer does not want to appoint a LSA?
There appear to be no sanctions in the Guidelines for an employer that fails to appoint a LSA. However, it remains to be seen whether (given the clear potential advantages to businesses of the ‘one-stop shop’ system) the non-appointment of a LSA by an organisation that is involved in cross-border processing could cause a supervisory authority to question that organisation’s understanding of the GDPR in other areas.
However, it is rather assumed that, as the new provisions should make administration of cross border data protection significantly simpler, relevant employers will choose to take advantage of these rules.
Is the LSA the only supervisory authority that can become involved with cross-border issues?
No. The Guidelines acknowledge that there will be situations where other supervisory authorities may want or need to become involved with data protection matters. This may happen, for example, where a complaint is lodged with a particular supervisory authority that is not the LSA or where employees live or work in a different location to that of the LSA and are substantially affected by processing of their data in that location. This may be the case, for example, in a situation where specific rules relating to the processing of employment data have been implemented in one Member State (under derogation to the GDPR) and therefore only affect employees in that one Member State.
In a situation such as the above, the local supervisory authority will be a concerned supervisory authority and will liaise with the LSA about the relevant matter. It will be open for the LSA and the supervisory authority concerned to decide amongst them who shall lead a particular case and they should cooperate to determine how any matter is handled and resolved.
As someone responsible for HR data what should I be doing now, in connection with the appointment of a LSA?
Rachel Ashwood is Senior Counsel at Taylor Vinters Cambridge office. Razia Begum is a Senior Associate at Taylor Vinters London office. Both Rachel and Razia are specialists in employment law.