The GDPR refers to a Supervisory Authority as a self-governing public authority accountable for overseeing GDPR compliance, supporting companies be GDPR compliant, and executing compliance and doing investigations. The supervisory authority should be advised if there is a personal information breach of data subjects.
The Lead Supervisory Authority is the major data safety regulator and has the chief accountability for managing cross-border processing of information. The principal goal of getting a head supervisory authority is to have only one person-in-charge, for example when a business manages multiple branches in the EU. It is a one-stop place for all things pertaining to GDPR.
For almost all businesses, finding a GDPR Lead Supervisory Authority is a clear-cut decision. A corporation located in Paris, France may select the supervisory authority in France as the head supervisory authority. An organization based in the UK may select the Information Commissioner’s Office (ICO) to be the supervisory authority in the UK.
For firms that have businesses in a number of EU member states, the head supervisory authority is usually the supervisory authority in the EU state where the organization’s headquarters or main business is based. More particularly, the Supervisory Authority is from the region where the ultimate decisions are being crafted concerning data collection and data processing.
An American business that doesn’t have a headquarter in an EU state has a problem. When it doesn’t have a headquarter in an EU state where decisions on data processing are being made, it is not going to benefit with the one-stop-shop model. Even when an organization has a company representative in an EU state, that will not bring about the one-stop-shop model.
The company have to for that reason work with the supervisory authority in each EU member state where there is an established company, by way of its local agent. There wouldn’t be any lead supervisory authority. GDPR Article 27 talks about the necessity to have a local rep in an EU state.
For certain firms, specially those which operate in several EU member states, appointing the lead supervisory authority is probably not clear-cut. The Article 29 Data Protection Working Party reacted to mix-ups over the choice of an LSA by developing guidelines for determining a controller or processor’s LSA. This PDF guidelines may be downloaded from this page.