The European Data Protection Board (EDPB) adopted an opinion on the competence of national supervisory authorities when an organisation changes its main or single establishment in the EEA, for example when an organisation’s main establishment moves to another EEA state or a non-EEA entity moves its establishment outside the EEA.
The Opinion provides guidance on the circumstances in which the competence of the lead supervisory authority can be transferred to another supervisory authority. In such scenarios, the cooperation procedure under Article 60 GDPR will continue to apply and the new supervisory authority will be under an obligation to cooperate with the former supervisory authority and other supervisory authorities to reach a consensus.
Where an organisation’s main establishment is relocated to another EEA country, the competence of the first supervisory authority will cease from the moment the transfer becomes effective and notified to the supervisory authorities. Any pending procedures will be transferred by the former supervisory authority to a new supervisory authority in the state where the organisation has its new main establishment. This supervisory authority will become the lead supervisory authority. If a case is on-going, a transfer of competence will only occur if a final decision has not yet been made. This will allow companies to benefit from the one-stop-shop provisions of the GDPR. However, if an organisation’s establishment is moved to a country outside the EEA, all relevant supervisory authorities will regain full jurisdiction and the one-stop-shop provisions of the GDPR will not apply.