EU regulatory oversight
Does this section apply to us?
This section applies if you are a UK-based controller or processor currently carrying out cross-border processing of personal data, across member state borders, but still within the EEA.
You do not need to read this section if you are based only in the UK and your processing of personal data is unlikely to affect individuals in any other EU or EEA state.
How can we prepare?
- Consider whether any of your processing of personal data involves cross-border processing under the GDPR, and if so who your lead supervisory authority is.
- Consider whether you will continue to carry out cross-border processing after the end of the transition period.
- If you will continue to carry out cross-border processing, and your current lead authority is the ICO, review the EDPB guidance, and consider which other EU and EEA supervisory authority will become lead authority at the end of the transition period (if any). You may want to contact them closer to the end of the transition period.
- If you will no longer carry out cross-border processing after the end of the transition period, but your processing will continue to be within the scope of the EU GDPR (for example, if you are ‘targeting’ individuals in the EEA), this could be a key change for your business and you may want to consider its impact.
What is cross-border processing and One-Stop-Shop?
This is a new concept in the GDPR, designed so that controllers and processors inside the EEA which carry out processing that affects individuals in more than one EU or EEA state only need to deal with a single EEA data protection regulatory authority. The EDPB is still working out how it will operate in practice. We are waiting for it to settle its views on this. Participation by the UK in the One Stop Shop at the end of the transition period is being discussed between the UK and the EU. We are waiting for further information about this.
Are we carrying out cross-border processing?
In brief, you may currently be carrying out cross-border processing and benefit from the one-stop-shop if you have an office, branch or other establishment in the UK and your processing is likely to affect individuals in one or more of the other EU or EEA states, for one of the following reasons:
1. You are processing the same set of personal data in the context of the activities of both your UK establishment and one or more EEA offices, branches, or other establishments.
Example
A fashion retailer:
- has a head office in London which handles all its customer data;
- has a distributor in Paris for French sales; and
- sells only in the UK and France.
Before the end of the transition period, the fashion retailer is cross-border processing its French customer personal data. It is processing that data in the context of both its London head office and Paris distributor.
Or
2. You only have offices, branches or other establishments in the UK, but your processing of personal data is likely to substantially affect data subjects in one or more other EU or EEA states.
Example
A fashion retailer:
- has a single office in London which handles all its customer data; and
- it sells via its website to the UK, France and Italy.
Before the end of the transition period, the fashion retailer is cross-border processing in the UK, France and Italy, to the extent the London office’s processing of the customer data substantially affects data subjects in France and Italy.
If you are carrying out cross-border processing, you benefit from the GDPR One-Stop-Shop system. This means a single supervisory authority will act as the lead on behalf of the other EEA supervisory authorities.
It should mean that, regarding your cross-border processing only, you deal with a single lead supervisory authority, which is responsible for regulating your cross-border processing and enforcing the GDPR (including issuing fines), acting on behalf of the other interested EEA authorities. So if you breach the GDPR regarding your cross-border processing, you are only investigated by one supervisory authority and only receive one fine across the EEA.
There are exceptions to this. For example, the lead supervisory authority may agree that another supervisory authority can take its own enforcement action if complaints only come from within the other authority’s jurisdiction.
Examples
Following the example above, the lead supervisory authority for the fashion retailer is the ICO, as its head office is in the UK.
If (before the end of the transition period) there is a data security breach of the fashion retailer relating to UK, French and Italian customers, the ICO would investigate and bring enforcement action, such as a fine.
The French and Italian supervisory authorities would provide input to the ICO investigation and enforcement action, but they would not be able to carry out their own investigation or take independent enforcement action. This means the fashion retailer would receive only a single fine but it would reflect the impact of the breach on individuals in the UK, France and Italy. This is a key benefit of the One-Stop-Shop.
If (before the end of the transition period) a French citizen wants to complain about the fashion retailer regarding a failure to respond to a subject access request, the French citizen may put their complaint to the French supervisory authority. The French authority will contact the ICO, and the ICO may choose to investigate the complaint itself or agree to the French authority investigating.
What is the regulatory impact on cross-border processing?
If you are established in the UK and carry out cross-border processing (as described above), there will be changes to which data protection authorities you need to deal with.
One of four scenarios may apply to you.
Scenario 1
- You are currently cross-border processing in relation to two establishments: one in the UK and one in another EU or EEA state.
- Your processing is not likely to substantially affect individuals in any other EU or EEA state.
After the end of the transition period:
You will no longer be cross-border processing. You will no longer be processing personal data in the context of the activities of establishments in two or more EU or EEA states.
The One-Stop-Shop and lead authority arrangements will no longer apply to your processing. You will have to deal with both the ICO and the supervisory authority in the other EU or EEA state where you are established.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a distributor in Paris for French sales; and
- sells only in the UK and France.
Before the end of the transition period:
The fashion retailer is cross-border processing its French customer personal data. It is processing French customer data in the context of both its London head office and Paris distributor.
After the end of the transition period:
The fashion retailer is no longer cross-border processing. It will have only a single EEA establishment (the Paris distributor), which distributes to customers only in France.
If there is a security breach of the retailer’s customer database affecting UK and French customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR. The retailer could be fined by both.
Scenario 2
- You are currently cross-border processing for two establishments: one in the UK and one in another EU or EEA state.
- Your processing in the context of the activities of both the UK and EEA establishment is likely to substantially affect individuals in other EU or EEA states.
After the end of the transition period:
Processing in the context of your UK establishment is no longer cross-border processing.
Processing in the context of your EEA establishment, which substantially affects data subjects in other EU or EEA states, will continue to be cross-border processing. Its local supervisory authority will be the lead supervisory authority in the EEA in respect of that cross-border processing.
You will have to deal with both the ICO and the EEA lead supervisory authority.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a European distribution centre in Paris; and
- sells online to the UK, France, Italy and Spain.
Before the end of the transition period:
The fashion retailer is cross-border processing its customer data in the context of both the London office and Paris distributor. The ICO is likely to be the lead authority.
After the end of the transition period:
The fashion retailer is no longer cross-border processing in the context of the London office.
The fashion retailer is cross-border processing in the context of the Paris distributor, for French, Italian and Spanish customer data.
The French supervisory authority is the lead authority as the fashion retailer has an establishment only in France.
If there is a security breach of the retailer’s customer database affecting French, Italian and Spanish customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR. The retailer could be fined by both.
Scenario 3
- You are currently cross-border processing in relation to three or more establishments: one in the UK and two or more in other EU or EEA states.
- Your processing may or may not substantially affect individuals in any other EU or EEA state.
After the end of the transition period:
The UK establishment is no longer cross-border processing.
Your EU or EEA establishments will still be cross-border processing. You will have to deal with both the ICO and your EEA lead supervisory authority. You should review the EDPB guidance to work out which is your lead authority.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a global distribution centre in Paris and a global marketing office in Milan; and
- sells online across the world.
Before the end of the transition period:
The fashion retailer is cross-border processing in the context of the London office, the Paris distributor and Milan office, regarding its customer database. The ICO is likely to be the lead authority.
After the end of the transition period:
The fashion retailer is no longer cross-border processing in the context of its London office.
The fashion retailer continues cross-border processing in the context of its Paris and Milan offices. Its lead authority would be decided based on EDPB guidance. If the largest customer base was in Italy, the Italian supervisory authority would probably be the lead authority.
If there is a security breach of the retailer’s customer database, it will be investigated by the ICO under UK data protection law and the Italian supervisory authority (if it is the lead authority) under the EU GDPR. The retailer could be fined by both.
Scenario 4
- You are currently cross-border processing with an establishment only in the UK, and no establishment in any other EU or EEA state.
- Your processing is likely to substantially affect individuals in one or more other EU or EEA state.
After the end of the transition period: you will not be carrying out cross-border processing under the EU GDPR as you have no office, branch or other establishment in the EEA.
You may still need to comply with the EU GDPR to the extent that your processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EEA.
You may have to deal with the ICO and the supervisory authorities in all EU and EEA states where individuals are located if you process their personal data in connection with those activities.
Example
A fashion retailer:
- has a head office that handles all customer data; and
- markets and sells online across Europe.
Before the end of the transition period:
The fashion retailer is cross-border processing across the EEA.
After the end of the transition period:
The fashion retailer is no longer cross-border processing as it has no office, branch or other establishment in the EEA.
All the fashion retailer’s processing of personal data will be subject to the UK GDPR and the oversight of the ICO.
All the fashion retailer’s marketing activities targeting EEA customers will also be subject to the EU GDPR.
If there is a security breach of the fashion retailer’s customer database, it will be investigated by the ICO under UK data protection law. It may also be investigated by any of the EEA authorities if it has affected customers in their member state. In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.
This could be a key change for your business, and you may want to consider how to minimise any risks. For example, you should consider what resources may be needed to deal with enquiries from various EU and EEA supervisory authorities.
After the end of the transition period, the ICO may no longer be part of the One-Stop-Shop. But we will still co-operate and collaborate with European supervisory authorities, as we did before GDPR and the One-Stop-Shop system, regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states.