After the launch of the General Data Protection Regulation (GDPR), in May 2018, each organization or business will inform to a Lead Supervising Authority (LSA), from where they get any guidance and advice that they require. More essentially, the LSA will be accountable for deciding the sanctions and fines that are relevant, should a company be found to be non-complying.
Even though each LSA will have some freedom in making decisions, it is presumed that they will interact with other LSAs, all over the EU. This will assist to keep a degree of consistency all through.
Selecting the appropriate LSA
For most organizations or businesses, it will be clear which their LSA is. It will usually be the one that is based in the same republic as them. However, what happens when a company has more than one center, where data is handled in different sites, or where the company is not based within the European Union?
If there is more than one company site, the suitable LSA will usually be the one that’s based in the same EU country as the main business site.
If the main data handling division is somewhere else, this site will usually decide which LSA must be used. For example, if the main data processing center for a company is based in Berlin, the company will use the German LSA.
As per the Article 29 Working Party, if a company is based outside of the EU, it will have to select a unit in an EU country which has the duty for its data handling. This unit should be complying with GDPR, and should have the funds to bear the possible imposition of big penalties, should there be a problem with non-compliance. When this unit has been selected, its site will decide which LSA is suitable.
It is possible that Ireland will be an acceptable choice as the center for selected data processing units, because it will be the lone English speaking country remaining in the European Union after Brexit, meaning that companies might prefer to deal with the Irish Lead Supervisory Authority.