The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

One Stop Shop

The EDPB has released the Guidelines 02/2022 on the application of Article 60 of the GDPR, i.e., the procedural modalities of the cooperation mechanism, known as the “one-stop-shop.”

The document, at first glance, would appear to be aimed primarily at supervisory authorities, but offers useful insights and takeaways for data controllers and data processors, as well as subject matter consultants.

GDPR_Article 60_cooperation mechanism_one_stop_shop
Cooperation Procedure

 

Prodromes

The guidelines are ,in fact, a response to the EU Commission’s invitation to the EDPB contained in its report on the status of the GDPR in the aftermath of the first two years of its full implementation (Communication from the Commission to the European Parliament and the Council – Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation).

In the document, the Commission pointed out that “developing a truly common European data protection culture between data protection authorities is still an on-going process. Data protection authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. The Commission concluded that “further progress is needed to make the handling of cross-border cases more efficient and harmonised across the EU, including from a procedural point of view (…)” and welcomed the reflection process initiated by the EDPB in this regard. The Board’s reflections have finally been incorporated into Guidelines 02/2022.

 

One-stop-shop

In the aforementioned Commission document it was highlighted that although it wasstill early to fully assess the functioning of the new cooperation and consistency mechanisms, data protection authorities developed their cooperation through the one-stop-shop mechanism and through a large use of mutual assistance. The one-stop-shop mechanism, which is a key asset of the internal market, is used to decide many cross-border cases. These decisions, involving often multinational big tech companies, will have a substantial impact on individuals’ rights in many Member States.”

The cooperation mechanism is an entirely new instrument introduced by the GDPR for personal data processing that generates an impact in more than one Member State (so-called “cross-border processing“).

Concerns about protection actions

Contained in the EU Commission’s proposal for a regulation as a coordination instrument between national supervisory authorities as well as a facilitation for data controllers and processors, during discussions regarding the content of the regulation, the “one-stop-shop” had raised concerns because of the associated risk of making it more difficult for data subjects to take action to protect their rights.
The provision of a one-stop-shop, identified in the supervisory authority on the territory of the Member State where the main (or single) establishment of the controller/processor is located, could have made it more difficult – for a data subject located in a different Member State and affected by the resulting cross-border processing operations – to lodge complaints with that (foreign) authority to defend his rights.

One-stop shop and protection actions

In order to overcome this possible drawback, the Commission’s proposal was amended to include the right of the data subject to take action with his national supervisory authority to protect his rights, while maintaining the original structural approach of the one-stop shop and the related roles of the lead authority and the authorities concerned.

Consequently, when the cooperation mechanism is triggered by the process of handling a complaint (rather than, for example, by an ex officio investigation), a ‘switch’ takes place: on one track, the owner/manager will be able to interact with the competent authority on the territory of their establishment (‘lead’) as their sole counterpart, while on a different track, those concerned will interface with their respective national supervisory authority, which will act in the cooperation mechanism as the ‘authority concerned” [Art. 4, point 22), GDPR]. The two separate tracks that have diverged as a result of the switch will subsequently be reunited, due to the cooperation mechanism between the lead authority and the authorities concerned, in order to ensure the uniform application of the rules on personal data protection through their consistent interpretation, without this having a negative impact on the exercise of enforcement actions.