Article 55 & 56 deals with the detailed provisions of competency of supervisory and lead supervisory authority (hereinafter referred to as LSA). Often LSA is misunderstood, hence, to make this very clear we would like to bring all the attention to the words “Cross-Border” processing. The question of LSA arises (please read article 56 as well which provides when LSA can act or handle for Supervisory authority) when the data is being processed at several geographical locations and LSA becomes a primary contact for all the data processing related activities.
The competency of Supervisory Authority
The provisions of GDPR u/art.55 provides that the Supervisory authority must be competent in order to perform the task it has been assigned, apart from that the authority must be competent to exercise the powers it has been conferred on it as per the provisions of GDPR on the territory of its own member state. However, Supervisory authorities are not competent to supervise the processing operations of courts acting in their judicial capacity.
Lead Supervisory Authority
The question of lead supervisory authority arises when a controller or processor operates in several geographical locations, they can choose or appoint single supervisory authority as their lead supervisory authority, upon such appointment the LSA becomes the primary contact for GDPR compliance matters such as appointment of data protection officer (DPO), notifier in case of data breach etc.
Article 56 of the GDPR speaks about the competency of the lead supervisory authority. And declares the LSA as a competent authority to act so for the cross-border processing activities carried out by that controller or processor. It further provides that each LSA shall be competent to handle a complaint lodged with it or any possible infringement of GDPR.
However, if subject matter relates only to an establishment in its member state or substantially affects data subject only in its member state then the supervisory authority must inform the LSA without delay on that matter. LSA will have a total 3 weeks time within which it has to decide whether or not it will handle the case in accordance with the procedure as provided u/art.60 of the GDPR. In case the LSA decides to handle the case then the procedure of Art.60 shall be followed and when it decides to not to handle then the procedure of 61 and 62 shall be applied and handled by the Supervisory authority.
It is must to remember that the LSA shall be the sole interlocutor of the controller or processor for the cross border processing conducted by the controller or processor.
Picture Credit- https://www.businessmanagementdaily.com/