Understand how to determine the lead supervisory authority under GDPR for a SaaS service offered by a private company with establishments in multiple EU countries. Learn the key factors that impact which data protection authority takes the lead role.
Table of Contents
Question
A private company has establishments in France, Poland, the United Kingdom and, most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.
What is the lead supervisory authority for the SaaS service?
A. The supervisory authority of Germany at federal level.
B. The supervisory authority of Germany at regional level.
C. The supervisory authority of the Republic of Poland.
D. The supervisory authority of the European Union.
Answer
C. The supervisory authority of the Republic of Poland.
Explanation
Under the EU General Data Protection Regulation (GDPR), the lead supervisory authority for cross-border data processing is determined by the location of the controller’s “main establishment” or “single establishment” in the EU. This is defined as the place where the main decisions about the purposes and means of the data processing take place.
In this scenario, while the company’s overall headquarters is in Germany, the SaaS service in question was “defined and implemented” by the Polish establishment. This suggests that the key decisions about the purposes and means of processing personal data for this specific service were made in Poland.
The fact that the Polish establishment receives support from the company’s other EU establishments does not change the fact that Poland is the lead authority for this particular service. The GDPR allows for “one-stop shop” supervision, where the supervisory authority of the main establishment serves as the lead authority for that specific processing activity.
Germany would not be the lead supervisory authority in this case, either at the federal level (answer A) or the regional level (answer B), because the main establishment for the SaaS service is in Poland, not Germany.
The European Data Protection Board (answer D) serves to ensure consistent application of the GDPR across the EU, but it does not serve as a lead supervisory authority for individual controllers. That role falls to the national supervisory authorities.
Therefore, based on the information provided, the Polish supervisory authority would be the lead authority for matters related to this SaaS service and any cross-border processing it entails.
IAPP CIPP-E certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IAPP CIPP-E exam and earn IAPP CIPP-E certification.