On the 5th of April 2017, the Article 29 Working Party revised and adopted guidelines on identifying the lead supervisory authority (LSA) for controllers and processors in the context of cross-border processing. These guidelines will help controllers and processors to determine the single supervisory authority (one-stop-shop principle) with whom they will deal regarding their obligations under the GDPR. Even though the new guidelines do not differ much from the guidelines adopted on the 13th of December 2016, they attempt to introduce more clarity:
Firstly, the overall structure of the document containing the previous guidelines has been adapted i.e. some of the titles have been changed and some paragraphs have been moved around. Also, several paragraphs were completed with a sentence or two making their content more understandable without adding new information.
Furthermore, an extra paragraph was added – it explains how the lead supervisory authority should be determined in case of joint controllers. Spoiler alert: together the joint controllers must determine (acknowledging the establishments where decisions are taken) which establishment will have the power to implement the decisions on processing for all joint controllers.
Finally, Annex I, which set out a questionnaire helping the controllers and processors to determine their LSA, has been reviewed. The new questionnaire now clearly formulates the different applicable situations (in an abstract manner) and how to determine the LSA for every hypothesis.
Link to the previous article on LSA.