GDPR – Do you need to appoint a Lead Supervisory Authority?

News /

A Lead Supervisory Authority is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when there is a data breach or when a data subject makes a complaint about the processing of personal data.

The lead supervisory authority will coordinate any investigation, involving other concerned supervisory authorities. This “one-stop shop“ system only applies to organisations with a main establishment within the EU, namely a place of central administration in the EU, or the place in the EU where decisions on use of personal data are made and implemented if that is different.  

Unless the organisation designates an establishment in the EU that will act as its main establishment it will not be possible to appoint a Lead Supervisory Authority and the company will have to deal with multiple regulators across every EU member state in which it is active.

The GDPR does not permit “forum shopping”, in that it is not possible for an organisation to appoint a particular supervisory authority to be its Lead Supervisory Authority, on the basis that it may reputedly be more lenient on enforcement, as compared to another authority. 

If an organisation claims to have its main establishment in one EU state, but no effective and real exercise of management activity or decision making over the processing of personal data takes place there, the relevant supervisory authorities will decide which supervisory authority (if any) is the “lead”, using objective criteria and looking at the evidence.


Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500