We are an organisation, which provides consultancy for ISMS and other information security related products in Indian sub-continent. During one of our implementation for an IT Organisation in Sri Lanka and India , we got a query on GDPR. The organisation has appointed a Data Protection Officer. Now we are not sure who will be the Supervisory Authority in India and Sri Lanka for Data Protection. Can you please let me know from where we can get this information.
The EU GDPR states that is compulsory for a legal entity to appoint a DPO only if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.
Also since the organization is in Sri Lanka and India, you first need to identify if the EU GDPR is applicable. The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case, the processing does not take place “in the Union,” nor is the individual “in the Union”.
If your customer falls under both criteria above it would need to appoint a representative in the EU and the competent Supervisory Authority would be the one where the representative is established.