How does the one-stop shop mechanism work?
Organisations that carry out cross-border processing operations used to have to deal with multiple data protection supervisory authorities. Now, they only need to deal with one data protection supervisory authority. This data protection supervisory authority is called the lead supervisory authority. On this page you can read how the one-stop-shop mechanism works in broad lines.
On this page
Cross-border processing operations
There is cross-border data processing when:
- an organisation processes data in several EU Member States;
- the processing is carried out in one EU Member State, but (probably) substantially affects data subjects in another Member State.
Lead supervisory authority
The lead supervisory authority is the first party responsible for the supervision of organisations with cross-border data processing operations. The main rule is: the lead supervisory authority is the supervisory authority of the EU member state in which the central administration of a controller or processor is located.
Supervisory authorities involved
The lead supervisory authority that handles a cross-border case does not work alone. The lead supervisory authority cooperates and coordinates its actions with the data protection supervisory authorities of the other EU countries where the data processing has an impact. These other supervisory authorities are called the supervisory authorities involved.
Advantages of the one-stop mechanism
Organisations that operate internationally only have to do business with one supervisor.
Does anyone have a complaint about the processing of data by an international company? The European privacy regulators will then jointly address this complaint. Even if an organisation is established in an EU member state other than the one filing the complaint. The person who submitted the complaint will therefore only have to deal with one privacy supervisor. This gives all EU residents the same privacy protection.