GDPR – Do you need to appoint a Lead Supervisory Authority?
A Lead Supervisory Authority is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when there is a data breach or when a data subject makes a complaint about the processing of personal data.
The lead supervisory authority will coordinate any investigation, involving other concerned supervisory authorities. This “one-stop shop“ system only applies to organisations with a main establishment within the EU, namely a place of central administration in the EU, or the place in the EU where decisions on use of personal data are made and implemented if that is different.
Unless the organisation designates an establishment in the EU that will act as its main establishment it will not be possible to appoint a Lead Supervisory Authority and the company will have to deal with multiple regulators across every EU member state in which it is active.
The GDPR does not permit “forum shopping”, in that it is not possible for an organisation to appoint a particular supervisory authority to be its Lead Supervisory Authority, on the basis that it may reputedly be more lenient on enforcement, as compared to another authority.
If an organisation claims to have its main establishment in one EU state, but no effective and real exercise of management activity or decision making over the processing of personal data takes place there, the relevant supervisory authorities will decide which supervisory authority (if any) is the “lead”, using objective criteria and looking at the evidence.