Representative & lead supervisory authority
Controllers or processors established in the Island and subject to the GDPR may be required to designate, in writing, a representative in the European Union. (Article 27)
A representative must be established in one of the Member States where the data subjects, about whom personal data is processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are resident.
The representative shall be responsible, in addition to, or instead of, the controller or the processor, for responding to supervisory authorities and data subjects on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
In practical terms this means that the processing of personal data of EU residents may be subject to regulation by the supervisory authority of the representative's EU Member State. In most cases it is expected that the supervisory authority will be the UK's Information Commissioner. However, this will change once the UK has withdrawn from the EU.
The data controller must determine in which EU Member State their representative should be based, if one is required - this should be a matter of fact based on the business model and individuals targeted.
Lead supervisory authority
Guidelines on 'identifying the lead supervisory authority' were adopted by the Article 29 Working Party in April 2017.
Paragraph 1.2 of those guidelines states:
"Put simply, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority will coordinate any investigation, involving other ‘concerned’ supervisory authorities. Identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU."
Paragraph 3.3 of those guidelines explains the effect on companies not established within the EU, states:
"The GDPR’s cooperation and consistency mechanism only applies to controllers with an establishment, or establishments, within the European Union. If the company does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative."