MBF Knowledge Base
MBF · MBF Knowledge Base Home · EU General Data Protection Regulation One-Stop-Shop

EU General Data Protection Regulation One-Stop-Shop

All information here was borrowed from the GDPR website https://eugdpr.org

As one of the key drivers behind creating a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop principle seems like a sensible addition. However, the principle is not as simple in practice as it can appear on paper, and the original Commission proposal has been modified heavily by its subsequent GDPR adoptions.

The proposal from the Commission in article 15 is by far the simplest and most general approach: Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall becompetent for the supervision of the processing activities of the controller or the processor in all Member States.

The Parliament took issue over the potential infringement of data subject rights when they are not able to easily lodge a complaint with a competent lead DPA if, for instance, contact is made difficult by language or financial means. In article 54a of its adopted text, the Parliament still relies on a lead DPA for the doling out of legal remedies, but it requires the cooperation of all concerned DPAs. The amount of concerned DPAs will also be greatly increased as a provision is also added for data subjects to lodge complaints with their local DPA in order for it then to work with the lead DPA on behalf of the datasubject. Finally, the role of the Data Protection Board is increased in its ability to decide in the situation of an unclear lead DPA and its ultimate ruling in the event of the invoking of the consistency mechanism.

The Council has arguably the most watered-down version of a one-stop-shop in its adopted general approach. It provides each DPA with the competence to enforce the GDPR in its own state, and requires the leadDPA to consult with and share all information with every concerned DPA. It also allows any concerned DPA to refer a case to the Data Protection Board should it feel that the lead DPA has not taken its opinion into account. Overall, this increases the amount of red tape involved to a point beyond the initial intention of the one-stop-shop principle and allows for the potential of capricious referrals that undermine the authority of the lead DPA and potentially put a strain on the Data Protection Board, which is set up under the GDPR but not allocated any specific funding or infrastructure.

The pervasive debate throughout the one-stop-shop principle is the balancing act between reducing red tape by harmonizing data protection laws across Europe and ensuring the rights of data subjects are secured by their availability of legal redress with the appropriate DPA.