Data Protection: EDPB Publishes Register Containing One-Stop-Shop Decisions

Authors: Erkko Korhonen and Emma Swahne

On 24 June 2020, the European Data Protection Board (EDPB) published a register containing decisions concluded under the so called “one-stop-shop” mechanism. The one-stop-shop (OSS) mechanism is set out under Article 60 of the GDPR to ensure a consistent application of the GDPR in cases involving more than one EU Member State. Lead supervisory authorities (LSAs) have adopted 110 final OSS decisions, but due to the national legal impediments for publication of decisions in Germany (certain states), Lithuania, the Netherlands, and Spain, only 68 cases have been published. The register contains the actual decisions and very useful summaries prepared by the EDPB’s secretariat. The register also contains tools for filtering out decisions based on, for example, main legal reference, keywords, or outcome.

A majority of the cases has led either to reprimand or warning, and in only five (5) decisions administrative fines have been imposed. As regards the subject matter of the cases, it seems that data subject rights have been the main area for decisions – this is quite expected, since the OSS mechanism is triggered when the data subjects who are substantially affected or likely to be substantially affected by the processing, reside in several Member States (each supervisory authority referred to as “supervisory authority concerned”, or CSA). Although the supervisory authorities in the Nordic countries have been involved as CSAs in dozens of cases, they have only acted as LSAs in two cases (both in Denmark).

It took surprisingly long for the EDPB to set up the public register for the cases – especially considering that maintaining a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism has been defined as one of the EDPB’s tasks under the GDPR. However, better late than never. Based on first looks, this is likely to be a useful tool for companies and privacy professionals to find guidance on how the GDPR has been applied and enforced by the supervisory authorities across the EU.