The General Data Protection Regulation (GDPR), applicable since May 2018, gives the European Data Protection Authorities, now called the Supervisory Authorities, the power to serve administrative fines of up to €20 million or 4% of the global annual turnover of
One-Stop-Shop under the GDPR: how does that work?
Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority. This appointed Supervisory Authority will act as their main point of contact.
Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.
Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.