Europe: One-Stop-Shop cooperation becoming more transparent

By Enrique Gallego Capdevila and Eline Dekyvere

On the week of the two-year anniversary of the General Data Protection Regulation (GDPR), the European Data Protection Board (EDPB) announced that a register containing decisions taken by Supervisory Authorities (SAs) following the One-Stop-Shop (OSS) cooperation procedure will be made publicly available on its website. This is an important step in further accelerating transparency efforts already made under the GDPR and promoting cross-border cooperation between SAs.

It is undeniable that the OSS has altered the approach in which SAs cooperate, and has also highlighted the unequivocal need for trust among them. The register soon to be published by the EDPB will further enhance consistency in the application of the One-Stop-Shop procedure between SAs. Consistent application of the cooperation principles also creates more legal certainty for organisations carrying out cross-border personal data processing activities while also alleviating some of the administrative burden associated with complying with GDPR requirements when carrying out such cross-border data processing activities.

The One Stop-Shop cooperation procedure (in a nutshell)

SAs have a cooperation duty in cases with a cross-border component to ensure the GDPR is applied in a consistent and uniform manner. This duty is regulated under the OSS mechanism established by Article 60 GDPR.

Pursuant to the OSS mechanism, the Lead Supervisory Authority (LSA) is entitled to request other SAs to provide mutual assistance and may conduct joint operations for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

Apart from serving as main point of contact for controllers and processors involved in a specific case, LSAs also have several responsibilities vis-à-vis the SAs, such as gathering the relevant information and drafting a decision that would be later submitted to the SAs concerned for their review.

In case none of the SAs concerned made an objection to the LSAs’ draft decision, they shall be deemed to be in agreement with the draft decision.

The concerned SAs are entitled to raise reasoned objections to the draft decision whereas the LSA can decide to follow or not to follow them. In the first scenario, where the LSA intends to follow the objection, a revised draft decision must be submitted to the other SAs. Alternatively, where the LSA rejects a reasonable or relevant objection, it triggers the dispute resolution mechanism established under Article 65 GDPR.

If this mechanism is triggered, the EDPB will be called to intervene, and it will issue a binding decision to arbitrate. The LSA shall then adopt its final decision on the basis of the EDPB’s binding decision.

How do SAs exchange information nowadays?

SAs exchange information through the Internal Market Information System (IMI). IMI is a tool initially developed by the European Commission’s DG GROW  to facilitate the exchange of information between public authorities involved in the practical implementation of EU law. In other words, IMI helps authorities to fulfil their cross-border administrative cooperation obligations in multiple Single Market policy areas. IMI was adapted to cater for the needs of the GDPR, in close cooperation with the Secretariat of the EDPB and the SAs.

EDPB’s initiative to boost transparency will provide new insights since the One-Stop-Shop cooperation procedure came into operation two years ago.

According to the EDPB, as of the end of April 2020, LSAs had adopted 103 OSS decisions. Besides this, not much information regarding the scope of such decisions, information related to the scope of mutual assistance requests, joint operations or  disputes among SAs related to any cross-border initiatives brought under the OSS has been made publicly available.

On 20 May 2020, during its 28th plenary session, the EDPB decided on the publication of a register containing “one-stop-shop” decisions. According to the EDPB, the Secretariat will publish summaries regarding final OSS decisions after the validation of the LSA in question and in accordance with the conditions provided by its national legislation.

Looking ahead, EDPB’s decision to publish this information may provide useful insights regarding LSAs’ joint operations while also providing new insights into how organisations carrying out cross-border processing activities deal with the main establishment concept under the OSS procedure. This register will also allow controllers and processors carrying out data processing activities in different EU countries to have a better overview of the interactions between different SAs regarding cross-border GDPR enforcement actions.

Please contact Enrique Gallego Capdevila and Eline Dekyvere or your usual DLA Piper contact if you would like further assistance.