Good morning,
I am running into a random roadblock with ensuring that my company is GDPR compliant - I can't figure out who my Supervisory Authority (SA) is! As an American company, based in the States, but storing PII that includes members living in the EU, I know I have a reporting responsibility if a breach occurs, but I am at a loss of determining who my SA is. For each EU state the SA is publicly listed, but I have been unable to determine the SA in my case. As a customer of the DoD, I assumed it would be the DoD, but haven't been able to confirm that.
Short answer(and most likely to be correct) would be ‘wherever you have your main establishment in the EU, their SA will be your lead SA’ however this may not be the case in some circumstances, Andy if it’s the UK, well that’s going to be interesting.
Working Party 29 guidance should help you here:
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611235
Hope this helps, but like anything legal, if in doubt speak to a lawyer with domain expertise.
On a slightly funny note, I very much doubt that the EDPB is going to accept the DoD as a SA, unless The President decides he’d like the USA to join the EU, or at least be part of the EEA - though the thought gave me a chuckle.
@N_Bakewell wrote:Good morning,
I am running into a random roadblock with ensuring that my company is GDPR compliant - I can't figure out who my Supervisory Authority (SA) is! As an American company, based in the States, but storing PII that includes members living in the EU, I know I have a reporting responsibility if a breach occurs, but I am at a loss of determining who my SA is. For each EU state the SA is publicly listed, but I have been unable to determine the SA in my case. As a customer of the DoD, I assumed it would be the DoD, but haven't been able to confirm that.
That's a very interesting concept. What happens if you're just a foreign (according to the EU) online entity with no physical or contractual footprint in the EU?
I've asked the ICO for clarification. But yes, it is an unclear concept - we have teleworking employees, who are US citizens residing in certain EU states temporarily but are not citizens of that EU state.
US citizens staying/residing in the EU would be considered as subjects under the GDPR, while EU citizens in the US would not be. This is a good summation:
https://cybercounsel.co.uk/data-subjects/
If you have a few folks covred then How many workers , how Long do they stay and what’s the risk? If you are not processing lots of personal data and have good security and privacy controls you probably do enough, it’s just verifying that(and getting a legal person to provide you a proper opinion).
if your website can be reached from the EU the chances are you are providing some sort of service to some natural persons living in the EU, so probably you need to work out who your SA of choice would be, do your gala analysis, data inventory,break it down into elements, DPIA/PIA etc - Tell your DLP what to look for, and make sure you have the right security posture, patch, MFA etc, and know where Personal Data s you probably do enough. Record it for accountability even if you think you are not covered:
‘Based on the General Cousels advice we are probably not processing personal data because x,y,z. However if we were our leade SA would be the Irish one because 1,2,3...’
Or just bite the bullet and away you go trying to get/stay compliant, you’ll need to do similar for privacy under US starts lay and the FTC etc in any case - doing them together would make sense if you have good document/tecords hygiene and understanding of your privacy needs.