The GDPR provides a new mechanism, the one stop shop (OSS), that is in place as of 25 May 2018 for organisations that are established in the European Union and that are engaged in cross-border processing of personal data. Read this guide to learn more about the OSS, and how it will apply to your organisation.
The GDPR defines cross-border processing as either:
What is meant by ‘substantially affects’ will depend on the nature of the processing activities your organisation is engaged in. If necessary, your LSA will make a determination of what constitutes a substantial effect on a case by case basis.
You must engage in cross-border processing as described above for the OSS to be applicable to your organisation. If your organisation is not engaged in cross-border processing, the OSS will not apply.
Once you have confirmed that your organisation is engaged in cross-border processing, your next step will be to determine the location of your main establishment.
The process you will follow to determine your main establishment differs depending on whether your organisation is a data controller or a data processor.
A data controller is defined as:
A data processor is defined as:
The key to determining your main establishment if you are a data controller is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.
If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment.
If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.
If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing.
If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.
This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.
The supervisory authority that will act as your LSA is the supervisory authority of the Member State where your organisation has its main establishment. Your LSA will have primary responsibility for dealing with your organisation’s processing activities and will be the supervisory authority that your organisation deals with in relation to its cross-border processing in most cases.
Your organisation’s engagement in cross-border processing means that supervisory authorities other than your LSA will also be concerned by your processing activities. Supervisory authorities, known in this context as supervisory authorities concerned (CSAs), will be concerned with your organisation’s processing activities where any of the following applies:
Should your LSA be required to investigate your organisation’s cross-border processing activities, it will do so according to the GDPR’s cooperation and consistency procedures. In such investigations, your LSA will closely coordinate with the relevant CSAs as appropriate.
In most cases, you will be required to deal only with your LSA. However, in certain circumstances, a CSA and not your LSA will be competent to handle a case regarding your organisation’s processing activities. A CSA may request to handle a case where the subject matter either:
If CSAs have conflicting views on your main establishment, it is open to them to challenge this and refer to the European Data Protection Board, which will make a binding decision on where your organisation’s main establishment is.
The Article 29 Working Party has issued guidelines that will aid your organisation in identifying where your main establishment is and therefore who your LSA is. These guidelines can be found on the Working Party’s website: http://ec.europa.eu/newsroom/document.cfm?doc_id=44102