Does this section apply to us?

You should read this section if you are a UK-based controller or processor currently carrying out cross-border processing of personal data, across member state borders, but still within the EEA.

You do not need to read this section if you are only based in the UK and your processing of personal data is unlikely to affect individuals in any other EU or EEA state.

What is cross-border processing and One-Stop-Shop?

We will be updating the Guide to GDPR to cover cross-border processing, lead supervisory authorities and One-Stop-Shop. These concepts are designed to provide that: controllers and processors which carry out processing which impacts individuals in more than one EU or EEA state only need to deal with a single EEA data protection regulatory authority. This is a new system, so the EDPB is still working out how it will operate in practice. We are waiting for it to have settled its views on this.

In brief, you currently may be carrying out cross-border processing if you have an office, branch or other establishment in the UK and your processing is likely to affect individuals in one or more of the other EU or EEA states, because either:

  1. You are processing the same set of personal data in the context of the activities of both your UK establishment and one or more EEA offices, branches, or other establishments.

Example

A fashion retailer:

  • has a head office in London which handles all its customer data;
  • has a distributor in Paris for French sales; and
  • sells only in the UK and France.

Before the UK exits the EU: the fashion retailer is cross-border processing its French customer personal data. It is processing that data in the context of both its London head office and Paris distributor.

Or

  1. You only have offices, branches or other establishments in the UK, but your processing of personal data is likely to substantially affect data subjects in one or more other EU or EEA states.

Example

A fashion retailer:

  • has a single office in London which handles all of its customer data; and
  • it sells via its website to the UK, France and Italy.

Before the UK exits the EU, the fashion retailer is cross-border processing in the UK, France and Italy, to the extent the London office’s processing of the customer data substantially affects data subjects in France and Italy.

If you are carrying out cross-border processing, you benefit from the GDPR One-Stop-Shop system. This means a single supervisory authority will act as the lead on behalf of the other EEA supervisory authorities.

It should mean that, regarding your cross-border processing only, you deal with a single lead supervisory authority, which is responsible for regulating your cross-border processing and enforcing the GDPR (including issuing fines), acting on behalf of the other interested EEA authorities. So if you breach the GDPR regarding your cross-border processing, you are only investigated by one supervisory authority and only receive one fine across the EEA.

There are exceptions to this. For example, the lead supervisory authority may agree that another supervisory authority can take its own enforcement action if complaints only come from within the other authority’s jurisdiction.

Examples:

Following the example above, the lead supervisory authority for the fashion retailer is the ICO, as its head office is in the UK.

If (prior to the UK exiting the EU) there is a data security breach of the fashion retailer relating to UK, French and Italian customers, the ICO would investigate and bring enforcement action, such as a fine.

The French and Italian supervisory authorities would provide input into the ICO investigation and enforcement action, but they would not be able to carry out their own investigation or take independent enforcement action. This means the fashion retailer would only receive a single fine, albeit reflecting the impact of the breach on individuals in the UK, France and Italy. This is a key benefit of the One-Stop-Shop.

If (prior to the UK exiting the EU) a French citizen has a complaint against the fashion retailer regarding a failure to respond to a subject access request, the French citizen may make his/her complaint to the French supervisory authority. The French supervisory authority will contact the ICO, and the ICO may choose to investigate the complaint itself or agree to the French supervisory authority investigating the matter.

What are the key points?

If you are currently established in the UK and carry out cross-border processing (as described above), then four scenarios may apply to you.

Scenario 1

  • You are currently cross-border processing in relation to two establishments: one in the UK and one in another EU or EEA state.
  • Your processing is not likely to substantially affect individuals in any other EU or EEA state.

After exit date:

You will no longer be cross-border processing. You will no longer be processing personal data in the context of the activities of establishments located in two or more EU or EEA states.

The One-Stop-Shop and lead authority arrangements will no longer apply to your processing. You will have to deal with both the ICO and the supervisory authority in the other EU or EEA state where you are established.

Example:

A fashion retailer:

  • has a head office in London which handles all its customer data;
  • has a distributor in Paris for French sales; and
  • sells only in the UK and France.

Before the UK exits the EU:

The fashion retailer is cross-border processing its French customer personal data. It is processing French customer data in the context of both its London head office and Paris distributor.

After the UK exits the EU:

The fashion retailer is no longer cross-border processing. It will only have a single EEA establishment (the Paris distributor) and that distributes to customers only in France.

If there is a security breach of the retailer’s customer database impacting UK and French customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR, and it could be fined by both.

Scenario 2

  • You are currently cross-border processing in relation to two establishments: one in the UK one in another EU or EEA state.
  • Your processing in the context of the activities of both the UK and EEA establishment is likely to substantially affect individuals in other EU or EEA states.

After exit date:

Processing in the context of your UK establishment is no longer cross-border processing.

Processing in the context of your EEA establishment, which substantially affects data subjects in other EU or EEA states, will continue to be cross-border processing. Its local supervisory authority will be the lead supervisory authority in the EEA in respect of that cross-border processing.

You will have to deal with both the ICO and the EEA lead supervisory authority.

Example:

A fashion retailer:

  • has a head office in London, which handles all its customer data;
  • has a European distribution centre in Paris; and
  • sells online to the UK, France, Italy and Spain.

Before the UK exits the EU:

The fashion retailer is cross-border processing its customer data in the context of both the London office and Paris distributor. The ICO is likely to be the lead authority.

After the UK exits the EU:

The fashion retailer is no longer cross-border processing in the context of the London office.

The fashion retailer is cross-border processing in the context of the Paris distributor, for French, Italian and Spanish customer data.

The French supervisory authority is the lead authority as the fashion retailer only has an establishment in France.

If there is a security breach of the retailer’s customer database impacting French, Italian and Spanish customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR, and could be fined by both.

Scenario 3

  • You are currently cross-border processing in relation to three or more establishments: one in the UK and two or more in other EU or EEA states.
  • Your processing may or may not substantially affect individuals in any other EU or EEA state.

After exit date:

The UK establishment is no longer cross-border processing.

Your EU or EEA establishments will still be cross-border processing. You will have to deal with both the ICO and your EEA lead supervisory authority. You should review the EDPB guidance to work out which is your lead authority.

Example:

A fashion retailer:

  • has a head office in London, which handles all its customer data;
  • has a global distribution centre in Paris and a global marketing office in Milan; and
  • sells online across the world.

Before the UK exits the EU:

The fashion retailer is cross-border processing in the context of the London office, the Paris distributor and Milan office, in relation to its customer database. The ICO is likely to be the lead authority.

After the UK exits the EU:

The fashion retailer is no longer cross-border processing in the context of its London office.

The fashion retailer continues cross-border processing in the context of its Paris and Milan offices. Its lead authority would be decided based on EDPB guidance. If the largest customer base was in Italy, the Italian supervisory authority would probably be the lead authority.

If there is a security breach of the retailer’s customer database it will be investigated by the ICO under UK data protection law and the Italian supervisory authority (if it is the lead authority) under the EU GDPR, and could be fined by both.

Scenario 4

  • You are currently cross-border processing with an establishment only in the UK, and no establishment in any other EU or EEA state.
  • Your processing is likely to substantially affect individuals in one or more other EU or EEA state.

After exit date: you will not be carrying out cross-border processing under the EU GDPR as you have no office, branch or other establishment in the EEA. 

You may still need to comply with the EU GDPR to the extent that your processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EEA.

You may have to deal with the ICO and with the supervisory authorities in all EU and EEA states where individuals are located whose personal data you process in connection with those activities.

Example

A fashion retailer:

  • has a head office which handles all customer data; and
  • markets and sells online across Europe.

Before the UK exits the EU:

The fashion retailer is cross-border processing across the EEA.

After the UK exits the EU:

The fashion retailer is no longer cross-border processing as it has no office, branch or other establishment in the EEA.

All the fashion retailer’s processing of personal data will be subject to the UK GDPR and the oversight of the ICO.

All the fashion retailer’s marketing activities targeting EEA customers will also be subject to the EU GDPR.

If there is a security breach of the fashion retailer’s customer database it will be investigated by the ICO under UK data protection law. It may also be investigated by any of the EEA authorities if it has impacted customers in their member state. In theory, they could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been impacted.

This could be a key change for your business, and you may want to consider how to minimise any risks.  For example, you should consider what resources may be needed to deal with enquiries from various EU and EEA supervisory authorities.

After exit date, ICO may no longer be part of the One-Stop-Shop. But we will still co-operate and collaborate with European supervisory authorities, as we did before GDPR and the One-Stop-Shop system, regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states.

How can we prepare?

  • You should consider whether any of your processing of personal data involves cross-border processing under the GDPR, and if so who your lead supervisory authority is.
  • Consider whether you will continue to carry out cross-border processing after exit date.
  • If you will continue to carry out cross-border processing, and your current lead authority is the ICO, review the EDPB guidance, and consider which other EU and EEA supervisory authority will become lead authority on exit date (if any). You may want to contact them closer to exit date.
  • If you will no longer carry out cross-border processing after exit date, but your processing will continue to be within the scope of the EU GDPR (for example, if you are “targeting” individuals in the EEA), this could be a key change for your business and you may want to consider its impact.