As one of the key drivers after creating a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop principle seems like a sensible addition. However, the principle is not as simple in practice as it can appear on paper, and the original Commission proposal has been modified heavily by its consequent GDPR adoptions.
The bid from the Commission in article 15 is by far the simplest and most general approach: “Where the processing of personal data takes place in the context of the enterprise of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main exercise of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States.”
The Parliament took issue over the potential infringement of data subject rights when they are not able to easily lodge a complaint with a adequate lead DPA if, for instance, contact is made difficult by language or financial means. In article 54a of its adopted text, the Parliament still relies on a lead DPA for the doling out of legal remedies, but it requires the cooperation of all concerned DPAs.The amount of concerned DPAs will also be greatly increased as a provision is also added for data subjects to lodge complaints with their local DPA in order for it then to work with the lead DPA on behalf of the data subject.Finally, the role of the Data Protection Board is heightened in its ability to decide in the situation of an unclear lead DPA and its eventual ruling in the event of the invoking of the consistency mechanism.