The EU One-Stop-Shop Mechanism
The European Data Protection Board (EDPB) has recently finalized guidelines on identifying the lead supervisory authority (LSA), shedding light on the conditions for utilizing the One-Stop-Shop mechanism (OSS). Following this, the European Commission has proposed the GDPR Procedural Regulation, aiming to enhance and harmonize data protection rules across EU Member States through an improved OSS. This article delves into key insights regarding the OSS and forthcoming GDPR enforcement rules that will impact all EU supervisory authorities.
What is the OSS and which entities can benefit from it?
The One-Stop-Shop mechanism enables controllers and processors within the European Economic Area (EEA) to engage with a single LSA, streamlining the cross-border processing of personal data. To benefit from this mechanism, organizations must meet two criteria: being established in the EEA and engaging in cross-border processing of personal data. The LSA will then be determined based on the location of the organization’s “main establishment.”
What is cross-border processing of personal data?
Cross-border processing of personal data occurs when a controller or processor has multiple establishments in the EU, or a single establishment in the EEA significantly affects or is likely to affect data subjects in more than one Member State. The EDPB Guidelines elaborate on this condition, providing examples such as processing causing harm, distress, discrimination, or unfair treatment to individuals.
Identifying the main establishment
For controllers with multiple establishments, the main establishment is the place of central administration in the EEA, unless decisions on processing personal data are made elsewhere. Processors with multiple establishments identify their main establishment based on central administration or, if none exists, where the primary processing activities occur.
Criteria determining ‘main establishment’
The EDPB Guidelines offer factors to determine a controller’s main establishment, including where final decisions on processing are made, where business activities involving data processing decisions occur, and where the power to implement decisions lies.
What is the role of a lead supervisory authority?
The LSA is primarily responsible for overseeing cross-border data processing activities, handling complaints, investigations, and enforcement actions. While having a single LSA offers advantages, scenarios involving joint-controllers may necessitate multiple LSAs.
When can several lead supervisory authorities be competent?
Competence for several LSAs may arise in scenarios such as separate controllers within a multinational company or joint-controllers, where each joint-controller can be supervised by its own LSA. Processors may involve multiple LSAs if controllers are part of the processing activities.
Are there limits to the OSS?
Limits exist for “local data processing activities,” where supervisory authorities respect each other’s competence for local data processing. Appointing an LSA does not prevent other authorities from assuming jurisdiction over matters within their territories.
How does the draft GDPR procedural regulation address the OSS?
The draft GDPR Procedural Regulation, published by the European Commission, harmonizes procedural matters in cross-border cases without altering the OSS mechanism. It addresses national procedural rules hindering GDPR cooperation, providing rules for complainant involvement, complaint rejection, and clarifying roles of LSAs and relevant authorities.
Joint opinion by EDPB and EDPS
In their joint opinion on the draft GDPR Procedural Regulation, the EDPB and EDPS express views and concerns, suggesting improvements in preliminary competence assessments and allowing complainants to express their thoughts on findings.
What steps should companies be taking?
- Companies engaging in cross-border data processing should assess their EEA entities’ roles to determine their main establishment.
- Consider formally appointing an LSA aligned with compliance strategy.
- Document reasons for appointing an LSA, especially in borderline situations where multiple authorities may claim lead status.
- Assess relevant factors, including the authority to implement processing decisions and liability.