Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?
A.
It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.
B.
It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings
C.
It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.
D.
It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.
The “one-stop-shop” mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The “one-stop-shop” mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the “one-stop-shop” mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the “one-stop-shop” mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:
When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state;
When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state;
When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state;
When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. References: Art. 60 GDPR – Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit