The one-stop-shop provisions were one of the most discussed provisions during the negotiation of the new data protection regulation (GDPR). Its purpose is to lower the administrative burden of companies when they carry out data processing activities in more than one Member State.
Thanks to these provisions, companies carrying out a « cross border data processing » will deal with only one Data Protection Authority called the Lead Supervisory Authority instead of dealing with the authorities of each concerned Member State. The one-stop-shop provisions will nonetheless apply to the cross border processing only and not to any other local data processing the controller could carry out.
When do one stop shop provisions apply?
The one stop shop provisions applies only to cross border processing of data controllers and data processors.
According to the GDPR, a cross border processing is either :
- A processing of personal data which takes place in the context of the activities of establishments in more than one Member States of a controller or a processor in the Union where the controller or processor is established in more than one Member States ; OR
- A processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union but which substantially affect or is likely to substantially affect data subject in more than one member states.
In broad terms :
- If a business is only located outside of the European Union it should not benefit from the one-stop-shop provisions.
- If a business is located in more than one Member States and there is one or more data processing being useful to/concerning each establishment’s activities, the one-stop-shop provisions should apply.
- If a business has only one establishment in the Union but its data processing activities target individuals from more than one Member States it should also benefit from the one-stop-shop provisions.
(exceptions: public authorities are excluded from the scope of the one stop shop provisions)
What if one-stop-shop provisions apply to my business?
If the one-stop-shop provisions applies to a data processing, a lead supervisory authority will be the only contact for any question, complaints or other issues relating to the processing subject to these provisions.
However, other supervisory authorities are competent for complaints or infringement of the regulation if it relates only to an establishment in its Member State or substantially affect individuals only in its Member State.
How to work out which authority is the Lead Supervisory Authority
The lead supervisory authority should be the supervisory authority of the main establishment or of the single establishment of the controller or processor.
In cases where both the controller and processor are involved, the lead supervisory of the controller should remain the lead supervisory authority and the lead supervisory authority of the processor should only be involved in the cooperation procedure as a supervisory authority concerned.