EBF advisor: Noémie Papp
Publication date: 15 February 2017
The European Banking Federation (EBF) welcomes the possibility given to provide comments on the Guidelines prepared by the Article 29 Data Protection working party on the lead supervisory identification – one stop shop.
Cross-border processing of personal data
Regarding the second-last paragraph of A of I – “Cross-border processing of personal data” and the factors listed concerning the potential impact of processing to help the Supervisory Authorities to interpret ‘substantially affects’ on a case by case basis, the EBF would welcome further clarifications regarding the meaning of “change their behaviour in a significant way” and “wide range of personal data”.
Lead supervisory authority
We believe that for companies’ part of a group, the principle of “one stop shop” as presented in the guidelines is likely to result in a stalemate in practice considering that as by way of derogation to the “one stop shop” principle, the General Data Protection Regulation (GDPR) allows a non-lead Supervisory Authority to act as a lead Supervisory Authority when handling local cases.
It remains unclear whether the lead supervisory authority is the exclusive point of contact for the data controller for all matters concerning the respective cross-border processing activity or whether the lead supervisory authority will be involved only via the other supervisory authorities. In our views, the lead supervisory authority should be involved via other local supervisory authorities.
Based on the framework described in the Guidelines, it seems that there will be many cases of overlapping responsibilities that will have to be solved through cooperation between the supervisory authorities.