European Union: Consultation closed on EDPB Guidelines on identifying a Controller or Processor’s lead Supervisory Authority

On 2 December 2022, the public consultation on European Data Protection Board's guidelines on identifying a controller or processor's supervisory authority was closed. The guidelines clarify how the lead supervisory authority is identified in cross-border data processing cases. In particular, the guidelines are expanded to specify that based on the General Data Protection Regulation (GDPR), in cases when the cross border processing is involved, the main establishment is linked to a single controller and cannot be "be extended to a joint controllership". Furthermore, the guidelines note that in cases involving joint controllers, the entities will have to identify the central administration in the EU for both controllers. In cases involving data breaches or investigations, the entities will refer to the supervisory authority where their central administration is established.