Does the GDPR Disadvantage Non-E.U. Companies? Addressing the Lead Supervisory Authority Dilemma (Part Two)

Companies without an E.U. establishment are subject to the GDPR if they market their goods or services in the E.U., but they face greater burdens under the law than those with a single or main E.U. establishment, and they are legally incapable of designating a lead supervisory authority. Companies with more than one E.U. establishment, on the other hand, must identify the correct lead supervisory authority. In this second installment of a guest article series, Frank Fine, director at EC Competition Law Advocates in Brussels, lays out the unintended consequences of the differential treatment of companies without an E.U. establishment, and provides steps companies with more than one E.U. establishment can take to determine their lead supervisory authority. The first article addressed how a lead authority is established and the disadvantages of having no lead authority, including the prospect of defending multiple, parallel investigations by DPAs involving the same conduct, and thus, greater fines. See also CSLR’s three-part series on GDPR essentials for the financial sector: “Benchmarking and Assessing the Risks” (Jul. 11, 2018); “Compliance Steps” (Jul. 18, 2018); and “Staying Compliant and Special Challenges” (Jul. 25, 2018).

To read the full article

Continue reading your article with a CSLR subscription.