In its recent decision of June 15, 2021, involving Facebook and the Belgium Data Protection Authority (“DPA”), the European Court of Justice (the “ECJ” or the “Court”) clarified the conditions under which the non-lead supervisory authorities may exercise their powers
As part of the Trade and Cooperation Agreement concluded on 24 December 2020 between the European Union and the United Kingdom, it has been agreed that the GDPR will remain applicable in the United Kingdom for a maximum period of
During its 28th plenary session of May 20, 2020, the European Data Protection Board (EDPB) adopted recommendations on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing ‘one-stop-shop’
Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority. This appointed Supervisory Authority will act as their main point of contact.
Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.
Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.