In April 2017, the European Data Protection Board (EDPB) endorsed the Article 29 Working Party’s Guidelines for identifying a controller or processor’s lead supervisory authority. The EDPB noted that further clarification in these Guidelines was required, especially in relation to the main establishment in the context of joint controllership.
Recent weeks have seen updates to these guidelines that aim to clarify them.
Read the EDPB Guidelines here. 

What are joint controllers? 

Joint controllers are two or more controllers established in the European Economic Area (EEA) that together determine the means and purposes of processing.  

What does the GDPR tell us about the designation of a lead supervisory authority for joint controllers? 

The GDPR alone does not specifically address the issue of designation of a lead supervisory authority for joint controllers. However, Article 26(1) and Recital 79 of the GDPR highlight that in a case of joint controlling, the controllers must determine their respective responsibilities in relation to compliance with their duties under the GDPR in a transparent manner.
An example of such obligations includes the organisation of contact with supervisory authorities.  

What updates have been made to the EDPB Guidelines? 

The most significant change made to these guidelines is that the concept of main establishment is linked to a single controller and that it is not applicable to joint controllers. 
Essentially, this means that for the purposes of joint controlling, each controller should identify its own lead authority. Joint controllers cannot designate a common main establishment or a common lead authority. The lead authority should also correspond with the respective joint controller’s central administration’s location. 

What should your business do to ensure these updated Guidelines are being followed? 

  • Check whether the joint controllers are established in the EEA. 
  • Where applicable, identify the place of central administration in the EEA of each joint controller. 
  • The supervisory authority of the country in which the central administration is located is the lead supervisory authority for each respective joint controller. 

If your business or organisation requires further assistance to comply with these updated Guidelines, you may benefit from an accomplished Data Protection Officer (DPO). For further information on this, please contact HewardMills at 




If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at