One-stop shop in the EU

An organisation may process personal data in several member states of the European Union (EU). Or in one member state, but of people from several member states.

On this page

  1. General information

The organisation, however, has to deal with one data protection supervisory authority only. This is called the one-stop shop mechanism.

Quick answers

What can I as a citizen do with my complaint about an international processing operation?

Do you have a complaint about the processing of your personal data? Then you can submit your complaint to the Dutch DPA.

The AP will check whether there is a cross-border (international) processing operation. If so, the Dutch DPA may not be the supervisory authority designated for handling your complaint. The Dutch DPA will then pass on your complaint to the European fellow supervisory authority which is competent to deal with your complaint. You do not have to anything yourself. The fellow supervisory authority will handle your complaint in close consultation with the Dutch DPA and any other supervisory authorities involved.

Information about the handling of the complaint

Do you have any questions? Then you can always contact the Dutch DPA. The Dutch DPA will also provide you with information about the handling of your complaint and inform you about the final outcome of your complaint.

Do I have to register my DPO with other European supervisory authorities as well?

This is not necessary if the Dutch Data Protection Authority (Dutch DPA) is the lead supervisory authority of your organisation. In that case, you will have to register your Data Protection Officer (DPO) with the Dutch DPA only.

Is your only establishment or your European central administration located in the Netherlands? Then the Dutch DPA is your lead supervisory authority. You have to provide the contact details of the DPO to the lead supervisory authority.

Registering your DPO with supervisory authorities involved in other member states is permitted, but not mandatory. The Dutch DPA recommends that you do this, though. In doing so, you promote the contact with supervisory authorities involved. 

Are you not sure which supervisory authority is the lead supervisory authority? Then you can register your DPO with the supposed lead supervisory authority and the supervisory authorities involved.

Do I, as a processor, also benefit from the one-stop shop mechanism?

Yes. If you are a processor with cross-border activities or multiple establishments in the EU, you can also benefit from the one-stop shop mechanism.

The location where your central administration takes place is regarded as the central administration. The supervisory authority in the EU member state in which your central administration is located is in principle the lead supervisory authority.

The one-stop shop mechanism is the starting point for processors as well. This means that the lead supervisory authority is the only data protection supervisory authority in the EU that you will have to deal with.

Central administration outside the EU

Is your central administration not located in the EU? Then the lead supervisory authority is the data protection agency of the country in which the most important data processing operations in the EU take place.

Controller and processor

Are you as a processor involved in a concrete case, but so is the controller? Then the lead supervisory authority of the controller is the sole lead supervisory authority for that case.

The supervisory authority from the country in which you as a processor have your central administration will then become a supervisory authority involved and cooperate with the other supervisory authorities involved.

Never just a processor

Note: you are actually never just a processor. Even if you process personal data for others just as a processor, you are in any case the controller for the data of your own staff.