The GDPR is a very complex piece of legislation which regulates a few important principles. And the considerations do not make it any better. One example of a very knotty consideration is recital 36, which gives some ideas who the competent lead supervisor authority is in a given case.
It uses 339 words to tell you this:
– In principle the CLSA is the supervisor of the EU member state in which your (the controller’s) main establishment is. This ‘should be’ the place of its central administration in the Union.
– if the decisions on the purposes and the means of the processing of another country are taken in another establishment of the controller (you, your company) then that other establishment is to be considered the main establishment and the CLSA is the CLSA of the country of that establishment.
The main establishment of the processor (not the controller, mind) is also the place of its central adminstration in the union. And, if it doesn’t have that, the establishment where the main processing activities take place in the Union. If both the controller and the processor are involved, the CLSA remains the supervisor authority where the controller has its main establishment.
The supervisor authority of the processor is the supervisor authority concerned (which has another role than the CLSA) that should participate in the cooperation procedure that the GDPR provides for.
The rules of the one-stop-shop-principle are so complicated that it takes a 12 page document to explain it all. It makes for a better read than article 36 though and it gives some nice expamples to give you some insight. I would really recommend it.