Article 56
Competence of the lead supervisory authority
Key words related to article 56
(124) Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.
(125) The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.
(126) The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.
(127) Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay about the matter. After being informed, the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level. When deciding whether it will handle the case, the lead supervisory authority should take into account whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to handle the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.
(128) The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.
(130) Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely cooperate with the supervisory authority with which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.
(131) Where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States, the supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of this Regulation should seek an amicable settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This should include: specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or processing that has to be assessed taking into account relevant legal obligations under Member State law.
There is no recital in the Directive related to article 56.
The GDPR
The introduction of the "single window" mechanism by Article 56 of the Regulation is a major innovation of the Regulation that will significantly ease the lives of the lead controllers in their application of different personal data protection laws.
The mechanism is simple in its principle: in the case of cross-border processing, the Regulation defines the “main” supervisory authority (known as the lead supervisory authority) for the processing activities in the Union on the basis of the principal establishment of the controller or of its unique establishment. The lead supervisory authority will be the sole interlocutor of the controller or the processor for their cross-border processing (Art. 56 (6)).
Article 4 (23) of the Regulations defines “cross-border processing” as:
a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
The purpose is to have a single supervisory authority competent to monitor the activities of the controller or the processor carried out throughout the Union and to take the relevant decisions. The competence conferred on the lead supervisory authority aims to promote consistent application of European regulations, to ensure legal certainty and to reduce the administrative burden for the controller and its processors. This lead supervisory authority will be the sole interlocutor of the controller or the processor for their cross-border processing (Art. 56 (3)).
The concept of main establishment is defined in Article 4 (16) depending on whether the main establishment of the controller or the processor is located in several Member States:
- with regards to the controller, its main establishment depends on the place of its central administration in the Union. However, if the decisions on the means and purposes of the processing occur in another establishment in the EU and this establishment has the power to have such decisions implemented, then this establishment must be regarded as the main establishment;
- with regards to the processor, its main establishment is determined by the place of its central administration in the Union. In the absence of central administration in the Union, its main establishment depends on where the essential processing activities are carried out within the activities of an establishment of a processor, provided that the processor is subject to specific obligations under the Regulations.
By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State (Article 56 (2)). In this case, the supervisory authority must notify the lead supervisory authority. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply paragraph 4). The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision that the latter must take into account in the elaboration of its draft decision, which must be communicated to the supervisory authority in compliance with Article 60 (2).
Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62. This clarification requires close cooperation between the supervisory authorities (paragraph 5).
The Directive
Under Article 28, paragraph 1 and 6, of the Directive, each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, in the territory of its own Member State, the powers conferred on it to ensure the compliance with the data protection rules.
However, the Directive did not resolve the issue of the competent authority when the controller is established in the territory of several Member States. On the contrary, the Directive specified that when the controller is established in the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable (see Article 4 (1), b));
The absence of an obligation for coordination of the national supervisory authorities in the Directive has led to many problems for companies that operate on a transnational level, because of the application of different national legislations. Often the companies had to determine the applicable law for each establishment and comply with the specific competent national law.
National laws did not provide a solution when the controller is established in the territory of several Member States.
Potential issues
The designation of a single competent supervisory authority in the event of cross-border processing is obviously a good thing. This will not always be easy in practice, given the complexity of the identification rules contained in Article 56 and the concept of main establishment.
Importantly, its predictability is not certain. The competent authority may be different depending on the connection of the violation to the rules to a particular Member State and the decision of division of competences falling onto the lead supervising authority.
European Union
European Data Protection Board
Guidelines 06/2022 on the practical implementation of amicable settlements (12 May 2022)
1. Practice has shown that many supervisory authorities (hereinafter “SAs”) apply the instrument of amicable settlement when dealing with complaints. It is as well noticeable that there are diverse variations of amicable settlements and that they are therefore handled differently by SAs due to differing domestic legislations. The GDPR uses the term “amicable settlement” only in Recital 131 in reference to the handling of local cases under Article 56(2) GDPR, but does not explicitly limit the possibilities to facilitate such local cases. The resulting lacuna in regulation of amicable settlements for non-local cases has been filled in divergent ways, some by way of Member State law, others by way of interpretation. Given these different interpretations and given the differing national laws governing complaint handling and amicable settlements (if at all present), the practical implementation of the instrument of amicable settlements differs considerably among Member States.
2. The powers of the SAs should be exercised in accordance with specific requirements in their Member State procedural law. This applies also to the handling of cases. However, national procedural law must comply with the principles of equivalence and effectiveness and may hence not render excessively difficult or practically impossible the exercise of the rights conferred by EU law (i.e. the GDPR). Through these Guidelines, the EDPB therefore seeks to provide best practices for a consistent application of the GDPR at national and EU level, to the extent appropriate for the application of the instrument of amicable settlement, taking into account the various national procedural legislations – insofar as such an instrument has been implemented explicitly – the procedure of the OSS mechanism under the GDPR, and the technical environment (IMI).
3. Cases handled by SAs can have origins other than complaints, for example cases based on media reports or ex officio investigations. However, the present guidance will address the practical implementation of amicable settlements only for cases that originated as a complaint from a data subject since the possibility of a settlement postulates the existence of a dispute between two entities, in this case the complaint lodged by a data subject against a data controller (see also paragraph 2.1 below). Furthermore, such complaints can be divided into (i) national cases without cross-border character, (ii) cases where the OSS mechanism applies because the case is cross-border in nature, and (iii) cross-border cases that are handled locally pursuant to Article 56(2) GDPR. Again, even though practice shows that amicable settlements are a possible course of action for all situations, the present guidance will mainly address those complaints that are cross-border in nature.
Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority (28 March 2023)
On 5 April 2017, the Article 29 Working Party adopted its Guidelines for identifying a controller or processor’s lead supervisory authority (WP244 rev.01), which were endorsed by the European Data Protection Board (hereinafter “EDPB”) at its first Plenary meeting . This document is a slightly updated version of those guidelines. Any reference to the WP29 Guidelines for identifying a controller or processor’s lead supervisory authority (WP244 rev.01) should, from now on, be interpreted as a reference to these EDPB guidelines.
The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR4.
The paragraph concerning this matter has been revised and updated, while the rest of the document was left unchanged, except for editorial changes. The revision concerns, more specifically, Section 2.1.3 on joint controllers.
Article 29 Working Party
Guidelines on the Lead Supervisory Authority - wp244rev.01 (5 April 2017)
(Endorsed by the EDPB)
Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.
Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.
Retour au sommaireSummary
European Union
European Union
CJEU caselaw
C-230/14 (1 October 2015) - Weltimmo
1. Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
2. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
3. Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).
C-645/19 (15 June 2021) - Facebook Ireland e.a.
1. Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.
2. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller or processor with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.
3. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.
4. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regards the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.
5. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.
Retour au sommaire Retour au sommaire|
Art. 56 1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. 2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. 3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it. 4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3). 5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62. 6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor. |
1st proposal
close
Art. 51 1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation. 2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation. 3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity. |
2nd proposal
close
Art. 51a 1. Without prejudice to Article 51, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the transnational processing of this controller or processor in accordance with the procedure in Article 54a. 2. (...) 2a. By derogation from paragraph 1, each supervisory authority shall be competent to deal with a complaint lodged with it or to deal with a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. 2b. In the cases referred to in paragraph 2a, the supervisory authority shall inform the lead supervisory authority without delay on this matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will deal with the case in accordance with the procedure provided in Article 54a, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it. 2c. Where the lead supervisory authority decides to deal with the case, the procedure provided in Article 54a shall apply. The supervisory authority which informed the lead supervisory authority may submit to such supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in paragraph 2 of Article 54a. 2d. In case the lead supervisory authority decides not to deal with it, the supervisory authority which informed the lead supervisory authority shall deal with the case according to Articles 55 and 56. 3. The lead supervisory authority shall be the sole interlocutor of the controller or processor for their transnational processing. 4. (...) |
Directive close
Art. 28 (...) 6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.
|
United Kingdom
No specific provision. |
Romania close
|