Competence, the one-stop shop and the lead supervisory authority
Each DPA is competent in its own territory (). For cross-border processing, the lead supervisory authority - the DPA of the controller/processor's main establishment - has competence: the one-stop shop (). Main establishment () turns on where decision-making over purposes and means happens; cross-border processing () covers multiple establishments or single-establishment processing that substantially affects data subjects in more than one member state. Non-lead DPAs can act only via the Article 56(2) carve-outs. Since Brexit, the one-stop shop does not apply in the UK.
Competence starts territorially (): a DPA regulates controllers/processors established in its territory, or those established elsewhere where there is an effect there. For cross-border processing, competence shifts to the lead supervisory authority - the DPA of the main establishment (Art 56) - which becomes the sole interlocutor (Art 56(6)).
- Cross-border processing (Art 4(23)) = (a) processing across establishments in more than one member state, OR (b) single-establishment processing that substantially affects data subjects in more than one member state
- Main establishment (Art 4(16)) = for controllers, where decisions on purposes and means are taken (usually central administration); for processors, the location of main processing activities
- Article 56(2) carve-out = a non-lead DPA may act where a complaint concerns only an establishment in its territory or substantially affects individuals only there (it must notify the lead authority)
- Cross-border rules do not apply to public authorities/bodies processing under a legal obligation, in the public interest, or for an official function (Art 55(3))
Since the UK left the EU, the one-stop shop and cross-border processing rules do not apply in the UK. A controller/processor must work out whether it is subject to the EU GDPR, the UK GDPR, or both.