Rina Steenkamp - Privacy and technology
Chapter VII Co-operation and consistency
1. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, or where personal data of the residents of several Member States are processed, the supervisory authority of the main establishment of the controller or processor shall act as the lead authority responsible for the supervision of the processing activities of the controller or the processor in all Member States, in accordance with the provisions of Chapter VII of this Regulation.
2. The lead supervisory authority shall take appropriate measures for the supervision of the processing activities of the controller or processor for which it is responsible only after consulting all other competent supervisory authorities within the meaning of paragraph 1 of Article 51 in an endeavour to reach a consensus. For that purpose it shall in particular submit any relevant information and consult the other authorities before it adopts a measure intended to produce legal effects vis-à-vis a controller or a processor within the meaning of paragraph 1 of Article 51. The lead authority shall take the utmost account of the opinions of the authorities involved. The lead authority shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities of the controller or processor for which it is responsible.
3. The European Data Protection Board shall, at the request of a competent supervisory authority, issue an opinion on the identification of the lead authority responsible for a controller or processor, in cases where:
3a. Where the controller exercises also activities as a processor, the supervisory authority of the main establishment of the controller shall act as lead authority for the supervision of processing activities.
4. The European Data Protection Board may decide on the identification of the lead authority.
[Source: October 2013]
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should act as the single contact point and the lead authority responsible for supervising the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
(98) The lead authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment or its representative. The European Data Protection Board may designate the lead authority through the consistency mechanism in certain cases on the request of a competent authority.
(98a) Data subjects whose personal data is processed by a data controller or processor in another Member State should be able to complain to the supervisory authority of their choice. The lead data protection authority should coordinate its work with that of the other authorities involved.
[Source: October 2013 | Notes: Recitals | Context: Recitals]
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
(98) The competent authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment.