The competent lead supervisor authority, or the one-stop-shop system of recital 36 GDPR

The GDPR is a very complex piece of legislation which regulates a few important principles. And the considerations do not make it any better. One example of a very knotty consideration is recital 36, which gives some ideas who the competent lead supervisor authority is in a given case.

It uses 339 words to tell you this:
– In principle the CLSA is the supervisor of the EU member state in which your (the controller’s) main establishment is. This ‘should be’ the place of its central administration in the Union.
– if the decisions on the purposes and the means of the processing of another country are taken in another establishment of the controller (you, your company) then that other establishment is to be considered the main establishment and the CLSA is the CLSA of the country of that establishment.
The main establishment of the processor (not the controller, mind) is also the place of its central adminstration in the union. And, if it doesn’t have that, the establishment where the main processing activities take place in the Union. If both the controller and the processor are involved, the CLSA remains the supervisor authority where the controller has its main establishment.
The supervisor authority of the processor is the supervisor authority concerned (which has another role than the CLSA)  that should participate in the cooperation procedure that the GDPR provides for.

The rules of the one-stop-shop-principle are so complicated that it takes a 12 page document to explain it all. It makes for a better read than article 36 though and it gives some nice expamples to give you some insight.  I would really recommend it.

William Gibson on fascism

William Gibson‏@GreatDismal 2 june 2018 (twitter).

Our culture views fascism as an exotic evil, but its potential is wholly endemic, all too human. Ongoing awareness of one’s own inner fascist offers essential protection, but must be taught.

One real myth: under the GDPR noreply emails aren’t allowed anymore.

There is this persistent myth that it is, under the GDPR, not allowed to use a noreply email address when you mail someone. But this isn’t so. The GDPR doesn’t mention email a single time. It is mentioned one time in consideration 23 but that paragraph is about preventing that a natural citizen gets deprived of his rights under the GDPR in those cases  that a controller or processor resides/works outside of the Union.
Apart from the GDPR it still can be possible that national legislators have forbidden it.