Insight

Identifying the Lead Data Protection Authority under the GDPR

Identifying the Lead Data Protection Authority under the GDPR

Anastasios Antoniou

Anastasios Antoniou

November 24, 2020 04:51 PM

The lead authority under the GDPR

The concept of a lead supervisory data protection authority (the “Lead Authority”) facilitates monitoring cross-border processing or processing that relates to persons in more than one member state by a ‘one-stop’ authority.

Businesses engaged in cross-border processing activities may identify their Lead Authority depending on the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.

While designating a Lead Authority is not mandatory under the GDPR, the benefit of doing so in terms of coordination and efficiency makes it an important tool for persons and businesses engaging with ‘cross-border processing’ activities in multiple member states that may potentially become the subject of investigation.

The Lead Authority will coordinate any investigation and can involve other concerned national supervisory authorities. In this context, the Lead Authority may cooperate and exchange information and liaise with such national authorities. The Lead Authority submits any draft decision to the other concerned national supervisory authorities.

From the perspective of a controller or processor, the Lead Authority is the main point of contact concerning the underlying ‘cross-border processing’ activity.

Cross-border processing

The Lead Authority is the authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of their personal data.

‘Cross-border processing’ is defined under Article 4(23) of the GDPR as either:

(i) “processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(ii) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State”.

Substantially affects” is interpreted on a case by case basis and depends on various factors including, amongst others, the type of data, the purpose of the processing and the cause or risk of damage, loss or distress to the individual.

Determining the Lead Authority

The GDPR provides that “the supervisory authority of the main establishment or of the single establishment of the controller or processor” is competent to act as the Lead Authority.

The term ‘main establishment’ is defined under Article 4(16) of the GDPR as follows:

(i) “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(ii) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation”;

Guidance published by the Article 29 Working Party, subsequently adopted by the European Data Protection Board (the “EDPB”), sets out a non-exhaustive list of factors for determining the controller’s main establishment. These factors include the following:

► the place where decisions on the purposes and means of processing are given final sign-off

► the place where decisions about business activities that involve data processing are made

► the place where the power to have decisions implemented effectively lies

► the location of the Director/Directors with overall management responsibility for the ‘cross-border processing’ activity

► the place where the controller or processor are registered as a company, if in a single territory.

Practical and commercial aspects

The Lead Authority constitutes a “one-stop” contact for data controllers and processors and an efficient mechanism for complying with the GDPR, particularly for large corporations with EU-wide and worldwide establishments.

Nevertheless, it should be noted that the Lead Authority concept has been designed to prevent abuse and ‘forum-shopping’ is not permitted under the GDPR.

As such, where a business claims to have its main establishment in one EU member state, without having any effective or actual exercise of management or decision-making over the processing of personal data taking place in that specific member state, then the Lead Authority will be decided by the supervisory authorities involved (or ultimately, by the EDPB) using objective criteria and based on the available evidence.

Main establishments in Cyprus

A plethora of multinational groups active in a wide range of industries, both within and outside the EU, have their headquarters in Cyprus. This is often the case as a result of establishing Cyprus holding companies to hold the group’s subsidiaries, due to the following reasons, amongst others:

► Cyprus taxes profits at 12.5% and taxation on outgoing dividends can be 0%

► Cyprus has signed more than 60 tax treaties (including with the UK, the US and Russia), which help ensure that Cyprus-based companies avoid double taxation

► Cyprus is an attractive destination for technology companies.

As such, Cyprus establishments of multinational corporations often carry out decision-making vis-à-vis personal data processing in Cyprus. The Commissioner for the Protection of Personal Data (the “DPC”) may accordingly be identified as the Lead Authority for a business that is a controller or processor and the main establishment or the single establishment of which is in Cyprus.

The DPC is the independent authority in Cyprus responsible for monitoring the application of the GDPR and Cypriot data protection laws. The DPC is tasked with protecting the fundamental rights and freedoms of natural persons concerning processing and to facilitate the free flow of personal data.

Drawing on the framework concerning the Lead Authority, whether the DPC will be the Lead Authority for a group which has a main establishment in Cyprus will depend on a range of factors which will determine if the effective or actual exercise of management or decision-making over the processing of personal data takes place in Cyprus.

16 November 2020

Christina McCollum
Solicitor (England and Wales) | Partner
Antoniou McCollum & Co.
T: +357 22 053333 | F: +357 22 053330
christina.mccollum@amc.law Ifigenia Iacovou
Advocate (Cyprus) | Senior Associate
Antoniou McCollum & Co.
T: +357 22 053333 | F: +357 22 053330
Ifigenia.iacovou@amc.law

Related Articles

Privacy Practice


by Casey Waughn

Data protection is all the rage among tech companies and state, national (and even transnational) governments alike. Is it a passing fad or here to stay? And how should businesses and groups of all sizes handle compliance with a blizzard of new laws?

Data Protection Prompt New Privacy Laws

New England States With Incoming Legislation


by Gregory Sirico

Best Lawyers takes an in depth look at newly proposed bills, litigation and cases coming out of four New England states.

New England Laws Taking Effect in 2022

Recent Developments on Privacy and Data Protection in Brazil


by Ricardo Barretto Ferreira da Silva and Camila Taliberti Ribeiro da Silva

A change of paradigm is urgent and requires a robust legislation on personal data protection.

Privacy and Data Protection Brazil

The Future of Data Privacy: You Can Run but You Can’t Hide (or Can You?)


by Chad W. King

In Ernest Cline’s dystopian novel "Ready Player One," the world’s population is addicted to a virtual reality game called the OASIS.

The Future of Data Privacy

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Legal Distinction on Display: 15th Edition of The Best Lawyers in France™


by Best Lawyers

The industry’s best lawyers and firms working in France are revealed in the newly released, comprehensive the 15th Edition of The Best Lawyers in France™.

French flag in front of country's outline

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Announcing the 13th Edition of Best Lawyers Rankings in the United Kingdom


by Best Lawyers

Best Lawyers is proud to announce the newest edition of legal rankings in the United Kingdom, marking the 13th consecutive edition of awards in the country.

British flag in front of country's outline

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Announcing the 16th Edition of the Best Lawyers in Germany Rankings


by Best Lawyers

Best Lawyers announces the 16th edition of The Best Lawyers in Germany™, featuring a unique set of rankings that highlights Germany's top legal talent.

German flag in front of country's outline

Celebrating Excellence in Law: 11th Edition of Best Lawyers in Italy™


by Best Lawyers

Best Lawyers announces the 11th edition of The Best Lawyers in Italy™, which features an elite list of awards showcasing Italy's current legal talent.

Italian flag in front of country's outline

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Key Developments and Trends in U.S. Commercial Litigation


by Justin Smulison

Whether it's multibillion-dollar water cleanliness verdicts or college athletes vying for the right to compensation, the state of litigation remains strong.

Basketball sits in front of stacks of money

Woman on a Mission


by Rebecca Blackwell

Baker Botts partner and intellectual property chair Christa Brown-Sanford discusses how she juggles work, personal life, being a mentor and leadership duties.

Woman in green dress crossing her arms and posing for headshot

Best Lawyers Celebrates Women in the Law: Ninth Edition


by Alliccia Odeyemi

Released in both print and digital form, Best Lawyers Ninth Edition of Women in the Law features stories of inspiring leadership and timely legal issues.

Lawyer in green dress stands with hands on table and cityscape in background

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipemtn

Introduction to Demand Generation for Law Firms


by Jennifer Verta

Learn the essentials of demand gen for law firms and how these strategies can drive client acquisition, retention, and long-term success.

Illustration of a hand holding a magnet, attracting icons representing individuals towards a central