As your business grows to operate internationally, or if you are already operating internationally, you must establish the lead supervisory authority and document this.
Article 4(23) of the GDPR defines "Cross-Border processing" as:
What this means, is that if you process data related to individuals in both the UK and another EU country, ie: Spain, then this constitutes cross-border processing,
On the other hand, if you only process data in the UK, but this data affects individuals from both the UK and Spain, this will also constitute cross-border processing.
The GDPR does not define "substantial", or "affects". This was left deliberately out to make sure that not all processing activity with any effect will be included in the definition.
Taking the Oxford English Dictionary definitions of Substantial and Affects, the interpretation suggests that for data processing to affect someone, it must have some sort of impact on them, therefore, processing that does not have a substantial effect on individuals is NOT affected by the second definition of cross-border processing, however, it would still fall under the first one if the processing occurs in more than one EU country as described.
Processing can fall under the second definition if it will have a "more likely than not" likelihood to have a substantial effect. Note that the individual doesn't have to be affected, the likelihood of a substantial effect is enough to bring the processing under the second definition.
Lead supervisory authority
The lead supervisory authority is the supervisory authority in the country where you have your main operations are in the EU, or the location where decisions are made and implemented with regards to processing of personal data.
This is important as it is the authority that an individual should direct a complaint about data processing, and is the authority that will lead the investigation regarding that complaint.
The lead supervisory authority is chosen by the data controller, but this choice can be challenged by the supervisory authority afterwards.
The GDPR does not permit "forum shopping", where a company claims to have its main processing operations in a member state, but no real operations take place in that member state. In that case, the supervisory authority will also take a view and ultimately decide which supervisory authority is responsible.
Article 4(16) of the GDPR states that ‘main establishment’ means:
"as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; "
"as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation "
Companies not in the EU
The GDPR consistency mechanism only applies to data controllers that operate within the EU. If the company does not have an establishment within the EU, the mere presence of a representative in a member state does not trigger the one stop shop described. This means organisations without an establishment in the EU must deal with each local supervisory authority in every member they are active in, through their local representative
The GDPR comes into force on 25th May 2018
< 11. Data Protection officer