Understanding the Lead Supervisory Authority concept in GDPR

One of the most talked-about provisions of the EU General Data Protection Regulation is the concept of the one-stop shop. Simply put, this means a company that has operations in multiple countries can choose to deal with one Supervisory Authority (of a country) by choosing a Lead Supervisory Authority (LSA), instead of having to deal with a Supervisory Authority in each country of operation. Read on to learn:

  • Who can appoint an LSA?
  • What are the requirements when choosing an LSA?
  • What should you expect when you choose an LSA?

Who can appoint an LSA?

A controller or processor that has operations in multiple countries can choose to appoint a single Supervisory Authority (SA) as their LSA. Once appointed, the LSA becomes the primary contact for GDPR compliance matters like registration of a Data Protection Officer, data breach notifications, etc.

What are the requirements when choosing an LSA?

To counter the risk of organisations choosing an SA they perceive as less strict, Working Party 29 guidelines clearly state that the LSA must be chosen in the country where the company has its main establishment in the EU. This means it must be in the location where decision making with regard to cross-border operations is taking place.

It is worth noting that the LSA is chosen by a company only in the context of EU operations; i.e., a company is not obligated to choose an LSA for operations outside of the EU.

Also, it is worth noting that any company processing the personal data of EU residents would fall within the scope of GDPR. This would make things much easier, as their only office or subsidiary in the EU can now choose an LSA in their country of operations and avoid the need to interact with multiple SAs.

One of the challenges with the concept of assigning an LSA can be for a company that operates completely offshore, say in the United States or Australia, but processes the personal data of EU citizens. Now, if such a company does not have an EU office, it would be challenging to choose a member state SA as its LSA. It will be interesting to see how this would evolve.

What should you expect when you choose an LSA?

When a company chooses an LSA, it is possible that a data subject could lodge a complaint with a Supervisory Authority other than the one chosen as LSA. In such circumstances, the SA informs the LSA without any delay. And, within three weeks, the LSA decide who handles this complaint. Basically, there can be a decision of which SA handles the request. Either way, both the LSA and the SA would cooperate in line with the requirements stated in GDPR; i.e., the draft decision would be shared with each other.

Conclusion

Appointing a Lead Supervisory Authority can save your organisation significant administration costs, and simplify efforts if your company operates in multiple locations. However, you should not think of this as a way of choosing an easier Supervisory Authority (if you believe one exists), because the choice can be challenged. And, if challenged, the onus of explaining the choice of LSA is with the controller or processor only.

Click here to access the free online training GDPR Foundations Course to find out more about Supervisory Authorities.

Advisera Punit Bhatia

Punit Bhatia

Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. He has experience on both sides of the table in a variety of industries, serving as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises.
Read more articles by Punit Bhatia