Browse Skills

DPC Cross-Border Data Processing (Lead SSA)

    GDPR DPC Ireland Privacy ROPA One-Stop-Shop Data Protection
    Get Started with This Skill

    Overview

    Draft Article 30 Records of Processing Activities for US firms using Ireland as Lead Supervisory Authority. Covers main establishment justification (GDPR Art. 4(16), EDPB criteria) and validation so the Irish DPC remains the competent authority.

    Getting Started

    Add your source materials to the project workspace, then activate the DPC Cross-Border Data Processing (Lead SSA) skill. The agent will guide you through drafting the main establishment justification and Article 30 ROPA, and can run the validation tool to ensure the Irish DPC remains the competent Lead Supervisory Authority.

    Example Conversation

    You: We’re a US company with an Irish subsidiary as our EU main establishment. We need an Article 30 ROPA that clearly supports the DPC as our Lead SA.

    Agent: I’ll draft a ROPA that (1) states Ireland as main establishment and the DPC as Lead SA, (2) justifies it using both EDPB criteria—decisions on purposes and means taken in Ireland, and power to implement those decisions there—and (3) lists each processing activity with purpose, legal basis, categories, retention, and safeguards. I’ll then run lead_authority_justifier on the document.

    You: Go ahead. Our Irish entity sets processing purposes and retention; US handles infra but under Irish contract and oversight.

    Agent: I’ve added a “Main establishment and Lead Supervisory Authority” section and the ROPA entries. The justification describes decision-making and implementation power in Ireland. I ran lead_authority_justifier: Ireland/DPC stated, both criteria present, no contradictory wording. Report shows 0 errors, 0 warnings.

    Output Excerpt

    Excerpt from a generated main-establishment section and a sample lead_authority_justifier report.

    Main establishment and Lead SA (excerpt):

    ## Main establishment and Lead Supervisory Authority

The controller’s main establishment in the Union, for the purposes of Article 4(16) GDPR and the One-Stop-Shop mechanism, is [Irish Entity Name], Ireland. The Lead Supervisory Authority is the Data Protection Commission (DPC), Ireland.

Decisions on the purposes and means of processing of personal data are taken at the Irish establishment; the Irish establishment has the power to have those decisions implemented. Day-to-day infrastructure may be operated under contract and oversight of the Irish entity, without altering the place where decisions are taken and implemented for GDPR purposes.

    lead_authority_justifier report (excerpt):

    === Lead Authority Justifier ===
Ireland/DPC as Lead: present
Decision-making in Union: present
Implementation power in Union: present
Contradictions: none
Result: 0 errors, 0 warnings

    Built-in Validation

    The skill includes lead_authority_justifier, which checks that the document justifies Ireland as main establishment so the DPC remains the competent Lead SA.

    CheckDescription
    Ireland/DPC as LeadDocument states Ireland as main establishment and/or DPC as Lead Supervisory Authority
    Decision-making in UnionDecisions on purposes and means of processing are taken at the Irish establishment (EDPB Opinion 04/2024)
    Implementation power in UnionIrish establishment has the power to have those decisions implemented
    No contradictionFlags wording that places decisions or implementation in the US (or outside the EU), which would undermine One-Stop-Shop

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started