The Art.29 WP on Data Protection has issued guidelines to facilitate the identification / designation of the national lead (data protection) authority in, ao, borderline cases for joint controller situations, and also for processors and their competent lead supervisory authority (16/EN WP 244 rev 01).

As to the case of joint data controllers, Art. 26(1) and Recital 79 of GDPR require from the controller to designate (among the establishments where decisions are taken) which establishment of the joint controllers will have the power to implement decisions about processing with respect to ALL joint controllers. NB: this is without prejudice to the liability rules under GDPR, of course.

In borderline cases (i.e. the controller is established in several Member States, with no central administration in the EU (i.e. decisions are taken exclusively outside the EU), and none of the EU establishments takes decisions about the processing) the controller company / companies have any interest to designate ahead the lead authority. Failing which the process via the European Data Privacy Board will be triggered; which is a long-lasting procedure, before a decision is taken…

As to processors having establishments in more than one EU state the GDPR provides for the same principle as for the controller: art.4 (16)(b): the place of the central administration (or elsewhere are situated the main processing activities ) of the processor in the EU.

However Recital 36 GDPR refers to a situation where both controller AND processor are involved to the lead supervisory authority for the controller. The supervisory authority will here take the part of the supervisory authority concerned, and will be cooperating in the procedure.

This situation will happen often as it addresses the situation of a large cloud-services provider.

This also means that the processor may have to deal with multiple supervisory authorities; a complex and expensive procedure.