Today, it can easily happen that a data protection breach involves data processing in several Member States parallelly and data subjects resident in several Member States.
This can be imagined, for example, in the case of webshops, cross-border services or various processes that involve different data controllers and processors. If a data protection incident is so serious that it needs to be reported to an authority, the question arises of which authority should be notified?
Two concepts in the GDPR help us with this, one is the supervisory authority, the other is the lead supervisory authority.
The reason for the distinction between a “simple” supervisory authority and a “lead” supervisory authority is that the GDPR has intended to create a “one-stop-shop” procedure for cross-border data processing in order to avoid parallel and competing procedures being conducted by different Member State authorities.
Watch this PrivacyEspresso to clarify these concepts and to understand which authority you should notify in a cross-country case.