meny

Cross-border processing

Personal data processing connected to several EU member states.

Companies often have operations in several countries and personal data does not always stay in one country. An instance of personal data processing that has a connection to more than one member state of the EU is called cross-border processing.

If you as a data controller or data processor process personal data in several EU member states, you need to know which supervisory authority you are to have contact with. Your point of departure is namely that you are only to need to have one supervisory authority, your so-called lead supervisory authority, for example if you are to report a personal data breach that has connections to several EU member states.

As a data subject you are always to be able to choose which country's supervisory authority you wish to contact, for example if you wish to complain about how a data controller has processed your personal data. The supervisory authority that you contact will be your contact point in the matter.

It probably takes longer to deal with cross-border cases

An instance of personal data processing that has a connection to more than one member state of the EU is to be examined jointly by the supervisory authorities concerned by that instance of personal data processing. Since all member states' supervisory authorities must be given time to assess the matter, it may in some cases take somewhat longer to process cases dealt with jointly by several member states' supervisory authorities. The Swedish Data Protection Authority or the supervisory authority that you contacted if you did not choose the Swedish Data Protection Authority will inform you if your case is being handled jointly by several member states' supervisory authorities and how the matter is proceeding. If the supervisory authorities concerned cannot reach agreement in a matter, they may in certain cases apply to the European Data Protection Board for help in settling the matter.

What is considered cross-border processing?

Cross-border processing is an instance of personal data processing that has a connection to more than one member state because you as a data controller or data processor do one of the following:

  • You process personal data in the context of activities at establishments in more than one member state.
  • You process personal data at a single establishment but to a significant degree affect or are likely to affect data subjects in more than one member state.

You must thus assess whether the data subjects will be affected to a significant degree by your processing of personal data or whether it is likely that they will be affected to a significant degree. To be able to determine this you must weigh in the type of data that the personal data processing comprises, the purpose of the processing and whether the processing will

  • cause harm, loss or emotional distress for individuals
  • affect the individual so that the individual's rights are limited or the individual loses an opportunity
  • affect the individual's health, well-being or security
  • affect the individual's financial status or situation,
  • subject the individual to discrimination or unfair treatment
  • include analysis of sensitive personal data or other intrusive data, in particular children's personal data
  • lead to the data subject significantly changing their behaviour
  • lead to unlikely, unexpected or undesired consequences for the individual
  • give rise to embarrassing situations or other negative outcomes, including damage to reputation
  • involve processing of large amounts of personal data.

Examples of cross-border processing:

  • You have activities both in Sweden and in Slovakia and process personal data in the context of activities at both establishments.
  • You only have operations in Sweden but your personal data processing affects data subjects in both Sweden and Slovakia.

Contact the lead supervisory authority

As a data controller or data processor you are as a rule to be in contact with only one member state's supervisory authority, the so-called "lead supervisory authority". If you for example suffer a personal data breach that affects your activities in several member states, you only need to report it to your lead supervisory authority. The lead supervisory authority then coordinates investigations that concern other supervisory authorities.

Your lead supervisory authority is where you have your main activities

To know which supervisory authority is your lead supervisory authority you need to determine where your main or only activities are carried on.

If you are a data controller, your main or only establishment is:

where you have your central administration (head office) unless the decisions concerning the purposes and means of the personal data processing are taken at another establishment within the Union and that establishment can have such decisions implemented. If so, that establishment is your main establishment.

If you are a data processor, your main or only establishment is:

where you have your central administration (head office) or, if you do not have any central administration within the Union, your establishment in the Union where the main personal data processing is done.

If both data controllers and data processors are involved in the personal data processing, the controller's lead supervisory authority is also the lead supervisory authority for the data processor.

Also note that you can have different lead supervisory authorities for different instances of personal data processing if you decide the purposes and means of personal data processing in different places in the European Union. When you begin a new instance of personal data processing, it is therefore important that you assess which supervisory authority will be your lead supervisory authority.

Consider whether it is possible to allow an establishment to take decisions regarding several different instances of personal data processing. You will then not need to be in contact with several different supervisory authorities for different instances of personal data processing.

The supervisory authorities in the EU cooperate

The supervisory authorities within the European Union cooperate, for example when we deal with complaints, examine personal data processing and make inspections. If the Swedish Data Protection Authority wishes to examine an instance of personal data processing that has been carried out in several member states of the Union, we have to do so together with the other member states' supervisory authorities.

An examination of am instance of cross-border processing is always led by a member state's supervisory authority, the so-called lead supervisory authority, that is in contact with the other member states' supervisory authorities. For the different member states' supervisory authorities to be able to share information with each other effectively, there is a special system for cooperation.

A matter may be dealt with by a supervisory authority other than the lead supervisory authority if the issue in the matter concerns data subjects in a particular member state. In such local cases, it is up to the lead supervisory authority to decide whether they wish to deal with the matter themselves or if they wish to transfer it to the supervisory authority in the member state where the activities that the matter concerns are carried on. You will always receive information about which supervisory authority is leading the handling of your case.

As a data subject you can contact any supervisory authority

As a data subject you can always choose which country's supervisory authority you wish to contact, for example if you wish to complain about how a data controller has processed your personal data. If you have asked to receive more information about how a company in France processes your personal data and the French company does not provide the information, you can thus choose whether you wish to contact the supervisory authority in France, Sweden or another member state.

The member state's supervisory authority that you contact will be your contact point in the matter. If you for example submit a complaint to the Swedish Data Protection Authority, we inform you of how the matter progresses, even if another member state's supervisory authority is dealing with the matter. As a data subject you will therefore not notice any great difference whether the Swedish Data Protection Authority or another supervisory authority is responsible for the matter or if a matter is dealt with by several member states' supervisory authorities or only, for example, by the Swedish Data Protection Authority.

If the Swedish Data Protection Authority deals with a matter jointly with another supervisory authority, we will always inform you of this.

Swedish version
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.