Skip to content

Cross-border processing

Companies often have operations in several countries and personal data does not always stay in one country. An instance of personal data processing that has a connection to more than one member state of the EU is called cross-border processing.

If you as a data controller or data processor process personal data in several EU member states, you need to know which supervisory authority you are to have contact with. Your starting point is that you only need to be in contact with one supervisory authority, your so-called lead supervisory authority, for example if you are to report a personal data breach that has connections to several EU member states.

As a data subject you are always able to choose which country's supervisory authority you wish to contact, for example if you wish to complain about how a data controller has processed your personal data. The supervisory authority that you contact will be your contact point in the matter.

 

Cross-border processing is an instance of personal data processing that has a connection to more than one member state because you as a data controller or data processor do one of the following:

  • You process personal data in the context of activities at establishments in more than one member state.
  • You process personal data at a single establishment but to a significant degree affect or are likely to affect data subjects in more than one member state.

You must thus assess whether the data subjects will be affected to a significant degree by your processing of personal data or whether it is likely that they will be affected to a significant degree. To be able to determine this you must weigh in the type of data that the personal data processing comprises, the purpose of the processing and whether the processing will

  • cause harm, loss or emotional distress for individuals
  • affect the individual so that the individual's rights are limited or the individual loses an opportunity
  • affect the individual's health, well-being or security
  • affect the individual's financial status or situation,
  • subject the individual to discrimination or unfair treatment
  • include analysis of sensitive personal data or other intrusive data, in particular children's personal data
  • lead to the data subject significantly changing their behaviour
  • lead to unlikely, unexpected or undesired consequences for the individual
  • give rise to embarrassing situations or other negative outcomes, including damage to reputation
  • involve processing of large amounts of personal data.

Examples of cross-border processing:

  • You have activities both in Sweden and in Slovakia and process personal data in the context of activities at both establishments.
  • You only have operations in Sweden but your personal data processing affects data subjects in both Sweden and Slovakia.

 

As a data controller or data processor you are as a rule to be in contact with only one member state's supervisory authority, the so-called "lead supervisory authority". If you for example suffer a personal data breach that affects your activities in several member states, you only need to report it to your lead supervisory authority. The lead supervisory authority then coordinates investigations that concern other supervisory authorities.

Your lead supervisory authority is where you have your main activities

To know which supervisory authority is your lead supervisory authority you need to determine where your main or only activities are carried out.

If you are a data controller, your main or only establishment is:

where you have your central administration (head office) unless the decisions concerning the purposes and means of the personal data processing are taken at another establishment within the Union and that establishment can have such decisions implemented. If so, that establishment is your main establishment.

If you are a data processor, your main or only establishment is:

where you have your central administration (head office) or, if you do not have any central administration within the Union, your establishment in the Union where the main personal data processing is carried out.

If both data controllers and data processors are involved in the personal data processing, the controller's lead supervisory authority is also the lead supervisory authority for the data processor.

Also note that you can have different lead supervisory authorities for different instances of personal data processing if you decide the purposes and means of personal data processing in different places in the European Union. When you begin a new instance of personal data processing, it is therefore important that you assess which supervisory authority will be your lead supervisory authority.

Consider whether it is possible to allow an establishment to take decisions regarding several different instances of personal data processing. You will then not need to be in contact with several different supervisory authorities for different instances of personal data processing.

The supervisory authorities within the European Union cooperate, for example when we deal with complaints, examine personal data processing and make inspections. If Swedish Authority for Privacy Protection wishes to examine an instance of personal data processing that has been carried out in several member states of the Union, we have to do so together with the other member states' supervisory authorities.

An examination of an instance of cross-border processing is always led by a member state's supervisory authority, the so-called lead supervisory authority, that is in contact with the other member states' supervisory authorities. For the different member states' supervisory authorities to be able to share information with each other effectively, there is a special system for cooperation.

You will always receive information about which supervisory authority is leading the handling of your case.

As a data subject you can always choose which country's supervisory authority you wish to contact, for example if you wish to complain about how a data controller has processed your personal data. If you have requested more information about how a company in France processes your personal data and the French company does not provide the information, you can thus choose whether you wish to contact the supervisory authority in France, Sweden or another member state.

The member state's supervisory authority that you contact will be your contact point in the matter. If you for example submit a complaint to Swedish Authority for Privacy Protection, we inform you of how the matter progresses, even if another member state's supervisory authority is dealing with the matter. As a data subject you will therefore not notice any great difference if Swedish Authority for Privacy Protection or another supervisory authority is responsible for the matter or if a matter is dealt with by several member states' supervisory authorities or only, for example, by Swedish Authority for Privacy Protection.

If Swedish Authority for Privacy Protection deals with a matter jointly with another supervisory authority, we will always inform you of this.

An instance of personal data processing that has a connection to more than one member state of the EU is to be examined jointly by the supervisory authorities concerned by that instance of personal data processing.

Since all member states' supervisory authorities must be given time to assess the matter, it may in some cases take somewhat longer to process cases dealt with jointly by several member states' supervisory authorities.

Swedish Authority for Privacy Protection or the supervisory authority that you contacted if you did not choose Swedish Authority for Privacy Protection will inform you if your case is being handled jointly by several member states' supervisory authorities and how the matter is proceeding.

If the supervisory authorities concerned cannot reach an agreement in a matter, they may in certain cases turn to the European Data Protection Board for help in settling the matter.

 

About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.

Latest update: 9 September 2021
Page labels Data protection