Comments on the "Guidelines for identifying a controller or processor's lead supervisory authority" adopted by the Working Party 29 on 13 December 2016 (LG), by Luciano Delli Veneri and Gloria Marcoccio

 

We all are aware: the GDPR [1] is a fundamental Regulation for businesses and not only for Controllers and Processors established in the EU, as such it is destined to act as an essential shaping factor for the next digital services involving processing of personal data. Inevitably, the GDPR is a complex legislative text, aimed at achieving several challenging objectives, among the other: the harmonisation in ensuring the fundamental rights of the individuals in terms of protection of their personal data.

 

Businesses play an essential role in the personal data processing scenario thus the practical consequences of their involvement - as target of many of the GDPR provisions- will provide a decisive contribute in making the success of the GDPR. In this sense the relationships among Supervisory Authorities and Controllers/Processors, should be characterized by clarity and simplicity, avoiding any excessive bureaucracy, taking in mind the ultimate goal of protecting the individuals in using their personal data in a balanced way, considering also the overall legitimate interests of Controllers/Processors with their need to perform business, ethically and not subject to unjustified bureaucratic frameworks.

 

The context of Lead Supervisory Authorities (L.A.) and Concerned Supervisory Authorities (C.A.) laid down with the GDPR appears quite articulated and complex, even where the trigger for the European legislator was 'simplify', especially for the multinational companies. The WP 29 Guide Line (LG) about L.A. unfortunately confirms the impression of complexity, even if a lot of effort has been spent in providing clarifications, interpretations and examples.

 

The following picture tries to provide a summary overview of the multi L.A./C.A. matters.

 

Specifically when a multinational company (Controller or Processor) has  more than one decision making centre in the EU:

 

1.  the so called one-stop-shop mechanism for transborder processing [2]

 

    ·  may involve more than one L.A. to be interfaced by a Controller / Processor, thus strongly limiting the value of such mechanism if the Controller/Processor has many decision making centres

 

·  in any case the national Supervisory Authority remain competent also for transborder processing in case of complaints or possible infringements . This means that a Controller/Processor could be required to interface 28 Supervisory Authorities

 

2. Controller / Processor may have to deal with more than one C.A. as a result of several factors[3] (GDPR Article 4(1)(22))

 

3.  the Controller / Processor is required to take very critical decisions about the applicability of the one-stop-shop mechanism and in general, for properly identifying, necessarily on a  case by case basis, the relevant C.A.

In many specific situations such identification is not an easy task and it could involve serious consequences, for example in the case of identification of the S.A. to whom notify a Data Breach (according to GDPR Article 33(1)), taking in mind that for infringement of the Data Breach notification provision the GDPR provides for an administrative sanction up to €20.000.000 (for undertakings up to 4 % of the total worldwide annual turnover if higher).

 

4.  a Controller / Processor with no establishment in the EU will face a more clear situation  (and no decision about L.As and C.As) even if it potentially could interface 28 Supervisory Authorities (however as it applies to a multinational company with at least one EU decision making centre, see point 1. above)

 

Although the GDPR does not provide for a direct sanction for misleading decisions about L.A. and C.A. or wrong interpretation about 'substantially affect' for classifying a processing in term of 'transborder processing', however indirect impacts could arise in terms of infringement of the Accountability Principle (GDPR Article 5(2), sanctions up to €20.000.000, for undertaking up to 4 % of the total worldwide annual turnover if higher.

 

For the above considerations of L.A. issues, we think the right term to use should be 'almost one-stop-shop mechanism'.

About C.A. matters, we are afraid that, in reality, in complex multinational contexts, both because the Data Subjects could reside in several EU Member States and a Controller/Processor may have multiple decision making centers located in several EU Member States, the correct identification of the several C.A.s concerned might  create operative problems, delays and misunderstandings that ultimately  could negatively impact the rights of the individuals regarding the protection of their personal data.

 

Such complex scenarios apply not only to large multinational companies providing Information Society Services or Public Electronic Communication Services or Social Network, but it could be the case of a SME [4] company offering cloud services or the case of a multinational company with several EU decision making centers with regards to internal administration services (Payroll, Facility Management,...).

 

Therefore we suggest the WP29 to review the LG with the aim of achieving further clarification and simplification, focus on the management and the implications of L.A./C.A. interfacing processes with multinational companies, taking into account, insofar as possible, the following points:

 

A. provide simplification when the transborder processing concerns the internal administrative processes of a multinational company (internal services) and not its business (external services): allow to select  only one L.A. with no duplications per decision making centers when the transborder processing concerns only internal services

 

B. provide simplification about transborder processing and the criteria concerning "substantially affects or is likely to substantially affect data subjects in more than one Member State", in order to reduce the number of L.A. to what strictly necessary

 

C. take into consideration the size of a multinational company: not all the multinational companies are large entities so a simplified procedure for selecting  and interfacing (possibly one) L.A. should not dramatically compromise the rights of individuals to the protection of their personal data

 

D.  put in place all the possible effort for the adoption of an ad hoc criterion in order to limit the number of C.A.s to be interfaced by a Controller/Processor.