Learn which factor is not relevant when a lead supervisory authority assesses the location of a data controller’s main establishment under GDPR. Discover key criteria like decision-making and director responsibility.
Table of Contents
Question
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels’ Human Resources office, based in ARRA’s main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:
- Allows access to the “party zone” of the hotel, and emits a buzz if the user approaches any unauthorized areas
- Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached
- Grants a unique ID number for participating in the games and contests that have been planned.
Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels’ HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival costume. The photos will be posted on ARRA Hotels’ main website for general marketing purposes.
On the night of the event, an employee from one of ARRA’s Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:
- The lack of any privacy notice in the separate photocall area
- The unlawful cross-border processing of his personal data
- The unacceptable aesthetic outcome of his photos
Assuming that there is a cross-border processing of personal data, which of the following criteria would NOT be useful to the lead supervisory authority responsible for the Greek employee’s complaint when trying to determine the location of the controller’s main establishment?
A. Where the controller is registered as a company.
B. Where the processor is registered as a company.
C. Where decisions about the processing activities are made.
D. Where the director with responsibility for processing activities is located.
Answer
B. Where the processor is registered as a company.
Explanation
Under the GDPR, the lead supervisory authority responsible for handling a complaint is determined based on the location of the controller’s main establishment, not the processor’s. The other three criteria are relevant factors in assessing the controller’s main establishment:
A. Where the controller is registered as a company can indicate its central administration and main establishment.
C. Where decisions about the processing activities are made is a key factor, as the main establishment is where key decisions are taken.
D. Where the director with responsibility for processing activities is located also points to where central management and decision-making occurs.
However, the location where a separate processor entity is registered is not a relevant consideration for determining the controller’s main establishment and thus lead supervisory authority. Controllers and processors are distinct under GDPR, each with their own obligations. The processor’s location does not determine the controller’s for jurisdictional purposes.
Therefore, when assessing which supervisory authority should take the lead on the Greek employee’s GDPR complaint, the location of ARRA Hotels’ processor would not be a useful criterion. The lead authority will be where ARRA Hotels has its central administration and decision-making, likely its main Italian establishment in this case.
IAPP CIPP-E certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IAPP CIPP-E exam and earn IAPP CIPP-E certification.