What happens if my company processes data in different EU Member States?

The General Data Protection Regulation (GDPR) applies throughout the EU – one set of data protection rules for all EU Member States. This spares your company/organisation the need to get to grips with several different laws. In certain areas, EU Member States can further specify the application of the rules of the GDPR (for example employment rules; public health sector; rules on reconciliation between freedom of expression and data protection). The GDPR also introduces the so called ‘one-stop-shop’ mechanism, which ensures cooperation between the Data Protection Authorities (DPAs) in the case of cross-border processing.

If your company/organisation  is processing data in different countries, the competent DPA – which will be the lead authority in its dealings with other concerned DPAs in the EU – is the DPA of the EU Member State where it has the main establishment. This is identified as the company/organisation's central administration in the EU unless decisions about the purposes and means of processing of personal data are taken in another establishment and that establishment has the power to implement those decisions.

If your company/organisation  processes data in order to fulfil an obligation under the national law of an EU Member State, only the DPA of that EU Member State is competent.

A textile company’s main establishment (that is to say its headquarters) is in Italy. It has satellite shops in neighbouring countries such as Malta, Greece, France and Austria. In those neighbouring countries, its satellite shops set up databases which process customers’ personal data for marketing purposes. However, the decisions on ‘how’ to contact the said customers, ‘when’ and ‘why’ are taken at the headquarters in Italy. Thus, in this case, the decision on the processing of personal data for marketing purposes is deemed to be made in Italy. The Italian DPA is the lead authority for your company/organisation.

• EDPB Guidelines on the Lead Supervisory Authority and its annex
• Article 4(23), Articles 55, 56 and Articles 60 to70 and Recitals (124) (140) of the GDPR