Cross Border Processing
The GDPR (Art 4 (23)) defines cross-border processing:
Processing of personal data which takes place in the context of the activities of an organisation in more than one Member State where that organisation is established in more than one Member State,
Processing of personal data which takes place in the context of the activities of an organisation’s single establishment but where that processing substantially affects or is likely to substantially affect data subjects in more than one Member State.
The Location of Your Main Establishment
The starting point here is knowing whether you are a data controller or processor. As a reminder…
A data controller (Art 4 (7)) is defined as:
An organisation that determines, alone or jointly with others, the purposes and means of the processing of personal data.
A data processor (Art 4 (8)) is defined as:
An organisation that processes personal data on a data controller’s behalf.
- A key question to answer next is, which of your organisation’s establishments has the power to take decisions regarding the ‘purposes and means’ of your processing of personal data? (Note: You cannot assume that all of your organisation’s cross-border processing activities will share the same main establishment!)
The Lead Supervisory Authority LSA (ART 56)
Your LSA is the supervisory authority of the Member State where your organisation has its principle establishment. Further, your LSA will have primary responsibility for dealing with your organisation’s processing activities and will be the supervisory authority that you deal with in respect of cross-border processing generally. Other supervisory authorities (known as CSAs, Art 60) may also come into play where:
- Your organisation is established in the Member State of that supervisory authority
- A complaint regarding your organisation’s processing activities has been lodged with that supervisory authority
- Data subjects residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by your organisation’s processing activities
Naturally, an LSA will closely coordinate with the relevant CSAs where the need arises. Should a difference of views between the two supervisory categories arise the matter can be brought to the European Data Protection Board for clarification.
This is an area of data protection not without some complexity.
If you are operating a business or organisation between two or more jurisdictions and are unsure about the relevant data protection (GDPR) rules which may apply to you, contact me, Donnacha T. Anhold, at Carter Anhold & Co., Solicitors (Sligo and Dublin) at +353 71 9162211.