The EDPB has released the Guidelines 02/2022 on the application of Article 60 of the GDPR, i.e., the procedural modalities of the cooperation mechanism, known as the “one-stop-shop.”
The document, at first glance, would appear to be aimed primarily at supervisory authorities, but offers useful insights and takeaways for data controllers and data processors, as well as subject matter consultants.
Prodromes
The guidelines are ,in fact, a response to the EU Commission’s invitation to the EDPB contained in its report on the status of the GDPR in the aftermath of the first two years of its full implementation (Communication from the Commission to the European Parliament and the Council – Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation).
In the document, the Commission pointed out that “developing a truly common European data protection culture between data protection authorities is still an on-going process. Data protection authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. The Commission concluded that “further progress is needed to make the handling of cross-border cases more efficient and harmonised across the EU, including from a procedural point of view (…)” and welcomed the reflection process initiated by the EDPB in this regard. The Board’s reflections have finally been incorporated into Guidelines 02/2022.
One-stop-shop
In the aforementioned Commission document it was highlighted that although it was “still early to fully assess the functioning of the new cooperation and consistency mechanisms, data protection authorities developed their cooperation through the one-stop-shop mechanism and through a large use of mutual assistance. The one-stop-shop mechanism, which is a key asset of the internal market, is used to decide many cross-border cases. These decisions, involving often multinational big tech companies, will have a substantial impact on individuals’ rights in many Member States.”
Concerns about protection actions
One-stop shop and protection actions
Consequently, when the cooperation mechanism is triggered by the process of handling a complaint (rather than, for example, by an ex officio investigation), a ‘switch’ takes place: on one track, the owner/manager will be able to interact with the competent authority on the territory of their establishment (‘lead’) as their sole counterpart, while on a different track, those concerned will interface with their respective national supervisory authority, which will act in the cooperation mechanism as the ‘authority concerned” [Art. 4, point 22), GDPR]. The two separate tracks that have diverged as a result of the switch will subsequently be reunited, due to the cooperation mechanism between the lead authority and the authorities concerned, in order to ensure the uniform application of the rules on personal data protection through their consistent interpretation, without this having a negative impact on the exercise of enforcement actions.