Share with your friends

The General Data Protection Regulation brings good news for multinationals

GDPR brings good news for multinationals

In May 2018, the General Data Protection Regulation (GDPR) will come into force and with it follows a changed approach to protection of personal data.


Related content

General Data Protection Regulation (GDPR)

INTRODUCTION: Today, many organisations' business activities span across several countries. The forthcoming General Data Protection Regulation has many positive impacts for such organisations – one of these is the "one-stop-shop" mechanism – which means that multinationals only have to interact with one Data Protection Authority across the European Community.

In May 2018, the General Data Protection Regulation (GDPR) will come into force and with it follows a changed approach to protection of personal data.

If an organisation processes – i.e. collects, transfers or stores – personal data in more than one EU country, or if the processing substantially affects individuals in more than one EU country, the organisation must comply with every country's personal data protection legislation. Under the current legislation, this entails that organisations with such cross-border activities must deal with every national Data Protection Agency (DPA) if a dispute or question about data protection arises. An example could be if a person lodges a complaint about how an organisation processes an individual's personal data.

The DPAs have various approaches to the legislation and level of enforcement. This is a cumbersome process for many multinational organisations with cross-border activities.

However, this changes for the better with the introduction of the GDPR. Going forward, an organisation will now only have to deal with one DPA – the lead supervisory authority – in data protection issues (known as the "one-stop-shop"). Consequently, the process around data protection matters will become more time efficient for multinational organisations, allowing them to operate within the European single market more easily.

The lead DPA has the primary responsibility for dealing with cross-border processing issues. For example, if a Danish organisation processes personal data about Danish and Spanish customers and a Spanish customer lodges a complaint against the organisation, the Danish DPA – as the lead supervisory authority – will, in most cases, handle the issue.

Identify the lead DPA
In the above example, the lead DPA is easily identified. However, if the organisation is located and operated in both Denmark and Spain, there might be more than one obvious choice. As the example indicates, it can be difficult to determine which is "leading", for example if an organisation operates – more or less – equally in multiple Member States.

In order to identify the lead DPA, which is determined by the location of the organisation's main establishment, the organisation will benefit from answering the following questions:

1) Where are our decisions about the use of personal data taken?
2) Where are decisions about business activities that involve data processing made?
3) Where does the power to implement business decisions effectively lie?
4) Where is the overall management responsibility for the cross-border processing located?
5) In which country is the organisation registered?

The list of questions above is not exhaustive, but forms part of an overall assessment that every organisation with cross-border activities should make to determine how these activities may affect individuals for which the organisation processes personal data as well as how the one-stop-shop mechanism can best benefit the organisation itself in its processing activities.  

KPMG recommends timely action
Data breaches have unfortunately become an everyday occurrence and a risk that organisations must continuously assess and mitigate. In a case where an organisation's personal data about customers, employees, etc. is leaked, this should in most cases, according to the new GDPR requirements, be notified to the lead DPA within 72 hours.

If an organisation has not determined the proper lead DPA prior to such a breach, the organisation may waste valuable time doing this – time that could and should be used to handle issues that are more pressing in connection with the breach. Consequently, it is KPMG Denmark's recommendation that your organisation determines the lead DPA today and not when a pressing need arises.

KPMG P/S, Dampfærgevej 28, 2100 København Ø, Tel: +45 7070 7760, CVR no. 25578198

KPMG Acor Tax P/S, Tuborg Havnevej 18, 2900 Hellerup, Tel: +45 3945 1700, CVR no. 34082200

© 2021 KPMG P/S and KPMG Acor Tax P/S, both entities being Danish limited liability partnerships and member firms of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more details about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal