On December 2016 the Article 29 Working Party adopted document WP244 providing guidelines on the application of the so called "one-stop-shop" (the "OSS") principle under the GDPR (the "Guidelines"). The document can be found here and it is open for consultation until the end of January 2017 so it is possible that an updated version will be issued in the future.
An analysis of the Guidelines is provided below. The main takeaways are:
OSS applies only where a single controller or processor has operations across more than one Member State or, if operating only in a single Member State, engages in processing likely to substantially affect individuals in more than one Member States.
Consequently, not all multinational organisations with establishments in the EU may be able to benefit from the OSS – for example, group companies whose group members each exercise individual decision-making power over their data processing activities will not benefit from OSS;
non-EEA based controllers-processors subject to the GDPR also cannot benefit from the OSS;
the rules are complex, get to grips with them before you need to contact a DPA (e.g. you don't want to be working out who your lead DPA is in the event of a breach that needs reporting within 72 hours); and
be prepared to be scrutinised and challenged by DPAs!
Who does the one-stop-shop ("OSS") apply to?
The Guidelines highlight that the OSS only applies to a controller or a processor carrying out 'cross-border processing' (defined in Article 4 (23) GDPR), meaning that the processing comprises (i) processing of personal data by the same controller or processor through local operations across more than one Member State (e.g. local branch offices); or (ii) the processing of personal data by a controller or a processor established in a single Member State that "substantially affects or is likely to substantially affect" data subjects in more than one Member State.
When does the processing 'substantially affect or is likely to substantially affect' individuals?
In the Guidelines the WP29 clearly advocates for a restrictive interpretation of 'substantially affects or is likely to substantially affect'in order to avoid the possibility that processing operations with 'any' effect on individuals fall under the definition of 'cross-border processing'.
The Guidelines provide a diverse list of factors that will be relevant to DPAs in assessing whether processing operations have a substantial effect, such as whether the processing operations may affect individuals negatively in some way, be damaging to individuals' rights or interests or are intrusive. This indicates that many day-to-day processing operations, for instance, of customer data processing or CRM processing are unlikely to fall under this category.
The bottom line is that the OSS principle will be much more likely to apply when controllers or processors have local operations in more than one Member State rather than when they conduct cross-border processing operations from a single establishment.
OSS does not equal one DPA only
The main benefit of the one-stop-shop principle is that controllers and processors will be able to liaise with one DPA, the lead authority, when cross-border data processing takes place. However, other DPAs that are also 'linked' to these processing operations, so-called 'concerned DPAs', can also be involved – for example, where the processing in question affects individuals in their local territories.
The Guidelines emphasise that the role of the lead authority is to 'coordinate' actions regarding the cross-border processing activities and that other DPAs, the 'concerned DPAs', will also be involved. OSS does not mean that a controller or processor will only ever be answerable to a single DPA.
Will the lead DPA always lead?
It is now clear that there will be instances where multinationals will have to deal with more than one DPA (or a DPA other than the lead DPA) despite having their main establishment or single establishment in a single Member State. DPAs will have the discretion to decide or agree amongst themselves which supervisory authority deals with certain cases.
For instance, employees' HR data processing is always likely to be overseen by the relevant local DPA, regardless of where the business has its lead DPA. The Guidelines also refer to an example where a French-based organisation launches a product that affects Portuguese customers only. In this context the French and Portuguese DPAs may agree that the Portuguese DPA will lead in the event an issue arises.
Who is your lead DPA?
The lead DPA is the DPA of the location of the controller or processor 'main establishment' (if (i) above applies) or of the 'single establishment' (if (ii) above applies).
In a nutshell, for controllers, the main establishment will be (i) the place of central administration in the EU; or, if decisions on the purposes and means of the processing do not take place there, the place where such decisions are made. Note that, with regard to the latter, the Guidelines provide a list of factors that will be relevant when identifying the main establishment. The physical location of data processing equipment (e.g. servers) does not influence the identification of the main establishment.
For processors, the main establishment is either their place of central administration in the EU or the place of the establishment in the EU where the main processing activities take place. Further guidance is not provided as to how to interpret 'main processing activities'.
In cases involving a controller and a processor, the lead authority will be the lead authority of the controller. In this instance, the lead authority of the processor will take the role of a concerned authority.
Importantly, the Guidelines establish that in cases where the controller or processor does not have either a place of central administration in the EU nor an EU-based decision-making centre, they will not be able to benefit from the one-stop-shop mechanism. However, the WP29 identifies a 'pragmatic' solution which would be for the organisation to designate the establishment that will act as its main establishment. This establishment must have the authority to implement decisions about the processing activities and be able to take liability for the processing, including having sufficient assets.
Requiring that a particular EU entity to take liability for the processing operations and having sufficient assets is reminiscent of BCR rules and goes beyond the definition of 'main establishment' in the GDPR. Whilst the WP29 warns against controllers/processors attempting to 'forum shop' it encourages organisations unable to identify an EU decision-making centre to appoint an EU main establishment in order to benefit from the one-stop-shop mechanism.
Can non-EEA based controllers benefit from the one-stop-shop mechanism?
No, they cannot. While non-EEA controllers must appoint an EU-based 'representative', the presence of a representative in the EU will not amount to a 'main establishment'. Only controllers and processors established in the EU will benefit from the one-stop-shop. In practice this means that if, for instance, a non-EEA based controller suffers a data breach which requires DPA notification it will have to notify more than one DPA.
When do I need to identify the 'main establishment'?
The Guidelines emphasise the importance of identifying the main establishment and the lead DPA so that organisations know in advance the DPA they have to deal with in cases, for instance, of having to notify a security breach or a high risk processing operations.
Can my assessment on the 'main establishment' by challenged?
Yes. The Guidelines also clarify that other concerned DPAs can challenge the controller / processor assessment regarding their main establishment and require additional information to prove where the main establishment is located. The scrutiny may intensify in the 'borderline' cases described above.