Pursuing more harmonised and consistent GDPR enforcement: LSAs and single contact points
In November 2022, the European Data Protection Board (EDPB) issued draft updates of two sets of Guidelines, thereby adding information about the role or potential exclusion of the lead supervisory authority (LSA). DIGITALEUROPE welcomes the reflection on pursuing harmonised and consistent enforcement. Importantly, a clear structure to the one-stop-shop (OSS) mechanism is key to help companies cooperate efficiently with supervisory authorities (SAs) and to avoid conflicting decisions.
This paper makes recommendations to ensure the LSA’s efficient and prompt identification. We notably recommend that:
The controller, who has a duty to cooperate with SAs, should be able to rely on a single point of contact, without exceptions that would hinder a prompt notification of data breaches or smooth cooperation.
The OSS mechanism can be used to avoid every single authority from having to be simultaneously notified of a data breach or competing for enforcement.
Joint controllership agreements and the appointment of a representative should serve and be recognised as clear indicators to identify the LSA.
Controllers’ active role
Art. 56 GDPR clearly places the concept of ‘main establishment’ at the centre of the assessment to identify the LSA. The controller should therefore not be barred from identifying one LSA, which is especially critical for time-sensitive data breach notifications or in complex joint controllership cases.
Making the assessment
The controller’s assessment of which authority is the LSA is intended to facilitate cooperation. It is a point of focus in both sets of Guidelines.
For instance, the controller’s assessment is recognised as necessary for a prompt response to data breaches, particularly in time-sensitive and pressurised contexts. Indeed, in detailing procedures for notification of cross-border data breaches, the current Guidelines 9/2022 state that controllers should ‘respond promptly’ by having identified the LSA. The Guidelines also note that LSA identification should be included in the controller’s response plan.
However, the draft update to Guidelines 9/2022 adds a potential case – which could in fact become frequent – where everysingle authority needs to be notified. This wording defeats the purpose of the OSS mechanism and would hinder a prompt response.
The present Guidelines 8/2022 state that: ‘The controller itself identifies where its main establishment is and therefore which supervisory authority is its lead supervisory authority.’ It presents a list of indicators towards identifying the LSA, which revolves around business activities and decision-making powers, elements which the controller is best placed to know and take into account in its assessment.
Agreeing joint controllerships
The controller is recognised as being the first in line to identify the LSA. In fact, identifying the LSA is the controller’s responsibility. This responsibility should extend to joint controllers, as they are in a similarly advantageous position to determine the main place of establishment.
It should further be recognised that joint controllers should be allowed to identify one representative and LSA, as Art. 26 and Recital 79 GDPR make it mandatory for them to ‘determine their respective responsibilities for compliance,’ including the identification of a point of contact. Indeed, such a division of responsibilities brings clarity upon which compliance can be built, in the full respect of data subject rights.
Further, a single point of contact is directly referred to in the GDPR and updates to Guidelines 8/2022 should not bar the mechanism from functioning in the case of joint controllership. While the assessment of controllers or joint controllers can be subject to SAs’ scrutiny or require proof, it should not be overlooked.
Last, it is the LSA’s responsibility to ensure the swift and smooth cooperation with other SAs. Removing the identification of a single LSA in the case of cross-border data breaches and joint controllerships will on the contrary make enforcement less harmonised.
Keeping compliance tasks manageable
Guidelines 8/2022 state that the GDPR intends to make compliance tasks manageable, notably by identifying the right LSA. Mandating a representative should facilitate communication between controllers and the LSA, and reinforce the OSS mechanism.
Mandating a representative
Under the GDPR, the representative is given a mandate by the controller and can be designated to be addressed instead of them. In this capacity, the representative should reflect the controller’s intentions and serve as an indicator of the main place of establishment or central administration. As detailed above, the controller is central in identifying the LSA, as should be the representative.
In the case of joint controllership, as a clear division of responsibilities must be agreed on, designating a common representative should not be discouraged. A single representative would avoid hesitation and different channels of communication being opened with various authorities.
In general, weakening the role of central contact points, whether they serve to identify a representative or an LSA, would block direct communication channels and increase the cost of compliance.
Purpose of the OSS mechanism
The draft update to Guidelines 8/2022 includes a prescriptive sentence: ‘Therefore, joint controllers cannot designate (amongst the establishments where decisions on the purposes and means of the processing are taken) a common main establishment for both joint controllers.’
Similarly, the draft update to Guidelines 9/2022 foresees that even where a single representative has been successfully designated by the controller, it will not benefit from a single point of contact amongst the SAs.
These updates will directly result in a weakening of the OSS mechanism, leading to increased fragmentation and conflicting decisions.
By contrast, the Article 29 Working Party Guidelines previously endorsed by the EDPB allow joint controllers to designate the establishment where joint controllers have ‘the power to implement decisions,’ in other words a single main establishment for cross-border processing. This approach should be restated and strengthened in the updated Guidelines.
 Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority and Guidelines 9/2022 on personal data breach notification under GDPR.