European Data Protection Board

Today the European Council approved its version of the General Data Protection Regulation (GDPR). The next stage is for the European Commission, European Parliament and European Council (each has its own preferred version of the regulation) to jointly agree on the final text of the regulation. These discussions will commence officially on June 24, 2015, and are currently scheduled to produce the final version of the GDPR by December 2015.

This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency mechanism applicable to supervisory authorities. In this Part we look at the application of sanctions by the lead SA across the EU, disagreements between SAs, complaints and litigation for affected data subjects, the application of foreign laws by the lead SA, and matters of language and culture.

Application of sanctions by lead SA across the EU

A Council debate note of 26 May 2014 flagged that at least one EU Member State had raised constitutional problems regarding the legal effect of applying measures decided by the lead SA in other EU Member States.

The Italian Presidency of the Council has addressed these concerns by clarifying that the lead SA would be competent in applying its supervisory powers, deciding on the case and directing the decision, on its own territory, to the main establishment of the controller or processor. It would then be for the data controller or data processor to implement the decision as regards all its establishments in the EU.