How should you choose your EU Data Protection Authority?
Last updated 4pm, 12 January 2021
If you will continue to carry out cross-border processing, and your current lead authority is the UK's data protection authority (the “ICO”), you may need to choose another EU supervisory authority to be your lead data protection authority in the EU at the end of the Brexit transition period. This is because the ICO cannot be a lead data protection authority under EU GDPR following the Brexit transition period. This issue is important for organisations that process personal data on a cross-border basis with the EU:They will need to understand which lead data protection authorities they will deal with post-Brexit transition period.Where they are in a position to choose, they will need to understand which lead authority is the most appropriate for them.If an organisation can choose a single lead data protection authority in the EU, this will ease the regulatory burden of having to deal with multiple EU data protection authorities.This table summarises the potential scenarios, and how to approach them:
How are you processing personal data in relation to the EU? | What happens at the end of the Brexit transition period? | What should my organisation do? |
“We process personal data in the UK and in another EU/EEA state.Our processing does not substantially affect individuals elsewhere in Europe.” | You will no longer be cross-border processing.You will no longer be processing personal data in the context of the activities of establishments in two or more EU or EEA states. | You will have to deal with both the ICO and the supervisory authority in the other EU or EEA state where you are established. |
“We process personal data in the UK and in another EU/EEA state.We process personal data in those places in a way which substantially affects individuals in other EU or EEA states.” | Processing in the context of your UK establishment is no longer cross-border processing.Processing in the context of your EEA establishment, which substantially affects data subjects in other EU or EEA states, will continue to be cross-border processing. Its local supervisory authority will be the lead supervisory authority in the EEA in respect of that cross-border processing. | You will have to deal with both the ICO and the EEA lead supervisory authority. |
“We process personal data in three places: one in the UK and two or more in other EU or EEA states.Our processing may or may not substantially affect individuals in any other EU or EEA state.” | The UK establishment is no longer cross-border processing. | Your EU or EEA establishments will still be cross-border processing. You will have to deal with both the ICO and your EEA lead supervisory authority.You should work out which is your lead authority. Freeths can help you with this. |
“We only process personal data in the UK.However, our processing substantially affects individuals in one or more other EU or EEA state.” | You will not be carrying out cross-border processing under the EU GDPR as you have no office, branch or other establishment in the EEA. | You may still need to comply with the EU GDPR to the extent that your processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EEA.You may have to deal with the ICO and the supervisory authorities in all EU and EEA states where individuals are located if you process their personal data in connection with those activities.
How can Freeths help?We have a team of specialist Data and Information lawyers who can guide you through which of these scenarios applies to you, and how to choose your lead data protection authority in the EU.Head to our Brexit Exchange where you will find all the latest updates and developments from our experts, regarding Brexit and how that affects businesses and individuals in a range of areas.
|
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.