How Do U.S. Businesses Hire a GDPR Lead Supervisory Organization?

August 2, 2018


Under GDPR, a Regulatory Authority is an independent public authority that is accountable for checking compliance with GDPR, assisting companies to become compliant with GDPR, and implementing compliance and carrying out inquiries. The regulatory authority is the entity that should be informed in the occurrence of a breach of private data of data subjects.

The Lead Supervisory Authority is the key data safety controller and the unit that has the main responsibility for dealing with cross-border data processing. The key objective of having a lead supervisory organization is that there is just one point of contact, such as when a company operates in several EU member states. It’s a one-stop shop for all matters linked to GDPR.

For most businesses, selecting a GDPR Lead Supervisory Organization is an easy decision. A firm based in Paris, France would hire the supervisory organization in France as the lead supervisory organization. A UK-based company would pick the Information Commissioner’s Office (ICO), which is the supervisory organization for the UK.

For businesses that operate in several EU member states, the lead supervisory organization would usually be the supervisory organization in the country where the company’s head office is or where its key business location is within the EU. More precisely, it would be the Supervisory Organization in the country where the final decisions are made concerning data gathering and processing.

A U.S. firm that doesn’t have a base in an EU member state has a problem. If it doesn’t have a base in an EU member state where data procession decisions are made, it will not gain from the one-stop-shop procedure. Even if a firm has a rep in an EU member state, that doesn’t trigger the one-stop-shop mechanism.

The firm should, therefore, deal with the supervisory organization in every member state where the firm is active, through its local representative. There would not be any lead supervisory organization. Article 27 of GDPR details the requirement to hire a native representative in an EU member state.

For some businesses, particularly those that operate in several EU member states, finding the lead supervisory organization might not be easy. The Article 29 Data Protection Working Party has reacted to the misunderstanding over the selection of an LSA by producing recommendations for finding a controller or processor’s LSA.