In the latest article of the GDPR 12 Month Countdown series, Razia Begum and Rachel Ashwood examine how the lead supervisory authority is determined for multi-national organisations that process HR data.
One Stop Shop
One of the key features of the General Data Protection Regulation (“GDPR”) is the principle that it will provide organisations with a “one stop shop” when dealing with international data protection matters.
What this means in practice for multi-national organisations that process HR data, is that instead of potentially having to deal with national regulatory authorities in each location where it processes data or where its employees are based, the GDPR will provide employers with the opportunity to appoint a Lead Supervisory Authority (“LSA”) that will deal with all relevant matters. The appeal of the “one stop shop” being that this will help avoid having to grapple with a host of different rules and enforcement procedures in different jurisdictions.
Once appointed, the LSA will be the authority with primary responsibility for dealing with cross-border data processing activity. Amongst other functions, the LSA will be the authority to which the multi-national employers will report any data breaches to. It will also handle any investigations into complaints against the way that the employer handles personal data, as well as being the body that will make decisions about appropriate enforcement action against the employer. Determining who the LSA is therefore, will require legal considerations as well as practical and strategic ones.
What guidance do we have on LSAs?
The Article 29 Data Protection Working Party has produced a concise guideline document for identifying a controller or processor’s lead supervisory authority (the “Guidelines”). The Guidelines put some “flesh on the bones” of the LSA provisions at Article 56 of the GDPR.
Which employers are able to appoint a LSA?
Employers that carry out cross-border processing are able to appoint a LSA. Cross-border processing takes place where either:
- The employer is established in one or more member states and processes data in connection with the activities of one or more of those establishments (Limb 1); or
- The employer processes data in relation to just one of its EU establishments but that processing “substantially affects” data subjects (employees) in more than one member state (Limb 2).
In relation to Limb 2, the Guidelines provide some guidance on what “substantially affects” means.
The Guidelines state that “substantially affects” should be interpreted on a case by case basis and will take into account:
- the context of the processing;
- the type of data processed;
- the purpose of the processing; and
- factors such as whether the processing (amongst other factors) is likely to cause damage to individuals, whether the processing involves the analysis of special categories of personal data and whether the processing is likely to leave individuals open to discrimination or unfair treatment.
How do employers determine which is the relevant LSA in relation to its employment data?
- Where the employer is the data controller and determines the purposes for which its employment data is processed – The LSA will be the relevant supervisory authority located in the EU country where the employer has its central administration for example, a traditional HQ. This rule will apply unless the key decisions about data processing are taken in another EU country, in which case the LSA will be the one located where decisions about any processing are made. The Guidelines outline factors which may help in deciding where such decisions are made.
- Where the employer is the data processor and just processes data – The LSA will be where the data processing employer has its central administration, unless its main data processing activities take place in another EU country (in which case the relevant supervisory authority will be the one located in that location).
- Where an employer is both the data controller and the data processor – The LSA will be the LSA for the data controller.
The guidelines contain a useful checklist for employers to help identify the relevant LSA.
What if an employer is located outside of the EU and has no establishments in the EU?
In this case, it is not possible for the employer to appoint a LSA and as such, it must deal with the supervisory authority in each location where it operates and/or where any data processing affects its data subjects. This potentially leads to employers based outside the EU without an establishment with the headache of having to deal with a number of different supervisory authorities.
Can employers bypass the Guidelines in place for determining the LSA and select a different supervisory authority to be the LSA?
No – the Guidelines specifically outlaw “forum hopping”. In other words, it is not possible for an organisation to appoint a particular supervisory authority to be its LSA, on the basis that it reputedly takes a “lighter touch” approach to enforcement measures, as compared to another authority.
Why is it important to understand which the LSA is?
Under the GDPR, there are certain circumstances where the LSA must be notified. For example, notification is required when registering a data protection officer or in the event of a data breach. It is therefore key that the LSA is determined, to ensure that a business complies (in a timely manner) with all relevant obligations. Another reason for getting this issue right is that the new European Data Protection Board will have the power to investigate the nomination of a LSA and recommend that an alternative LSA is appointed.
What if a multi-national employer does not want to appoint a LSA?
There appears to be no sanctions in the Guidelines for an employer that fails to appoint a LSA. However, it remains to be seen whether (given the clear potential advantages to businesses of the “one stop shop” system) the non-appointment of a LSA by an organisation that is involved in cross-border processing, could cause a supervisory authority to question that organisation’s understanding of the GDPR in other areas.
However, it is rather assumed that as the new provisions should make administration of cross border data protection significantly simpler, that relevant employers will choose to take advantage of these rules.
Is the LSA the only supervisory authority that can become involved with cross-border issues?
No. The Guidelines acknowledge that there will be situations where other supervisory authorities may want or need to become involved with data protection matters. This may happen, for example, where a complaint is lodged with a particular supervisory authority that is not the LSA or where employees live or work in a different location to that of the LSA and are substantially affected by processing of their data in that location. This may be the case for example, in a situation where specific rules relating to the processing of employment data have been implemented in one Member State (under derogation to the GDPR) and therefore only affects employees in that one Member State.
In a situation such as the above, the local supervisory authority will be a concerned supervisory authority and will liaise with the LSA about the relevant matter. It will be open for the LSA and the supervisory authority concerned to decide amongst them who shall lead a particular case and should cooperate to determine how any matter is handled and resolved.
As someone responsible for HR data what should I be doing now, in connection with the appointment of a LSA?
- First and foremost, identify if your business is undertaking cross-border processing of HR data.
- If so, identify whether your business is the data controller or data processor in respect of this cross-border processing of HR data.
- Identify the relevant LSA for HR data in consultation with the Guidelines.
- Ensure that you are confident in your choice of LSA as each supervisory authority has the right to rebut your identification of them as your LSA.
- Communicate who the relevant LSA is for HR data to the relevant people within the organisation.
- Make contact with the relevant LSA as and when necessary to seek assistance on any areas of ambiguity.
- Keep an eye out for any country-specific guidance published by that LSA or any secondary legislation enacted in that jurisdiction relating to HR data.
If you require any further information or advice about appointing a LSA or any other aspects of the GDPR, please contact Razia Begum or Rachel Ashwood.