The jurisdiction of the supervisory authorities under GDPR

According to Art. 55 GDPR, each supervisory authority is responsible for its own jurisdiction (territory). In addition, however, the lead supervisory authority (the so-called one-stop shop) is responsible for the main branch in the European Union (defined in Art. 4 No. 16 GDPR) or the only branch in the EU (defined in recital 22). Independent subsidiaries of foreign companies are considered branches.

According to ePrivacy’s current state of knowledge, the jurisdiction of the supervisory authority is not determined by the representative’s location according to Art. 27 GDPR, since Art. 56 GDPR provides the possibility for the one-stop shop (a lead supervisory authority) only in the case of an existing branch. However, the representative does not constitute a branch within the meaning of recital 22.

It is still unclear to which data protection authority in the EU the data protection officer of a company must be reported in accordance with Art. 37 Para. 7 GDPR. Apparently, the data protection officer can be reported to any authority within the EU.