CHAPTER VII Cooperation and consistency

Section 1 Cooperation

 

Author: Vagelis Papakonstatinou

 

1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Art. 61 and may conduct joint operations pursuant to Art. 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with para. 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Art. 63.
5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in para. 4 within a period of two weeks.
6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paras. 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
8. By derogation from para. 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
10. After being notified of the decision of the lead supervisory authority pursuant to paras. 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Art. 66 shall apply.
12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.

 

I. General features and legislative history

1. Overview: The one-stop-shop mechanism as a sentinel of the GDPR

Formally, the term “one-stop-shop mechanism” (henceforth, OSS) is unknown to the GDPR, appearing only a few times in its Recitals. Otherwise, it stands merely as an abbreviation for its provisions on “cooperation between the lead supervisory authority and the other supervisory authorities concerned” of this Art. 60. At any event, this lack of explicit recognition for the one-stop-shop mechanism comes in stark contrast to its neighbour, the consistency mechanism, that receives explicit acknowledgement in Section 2. Together with Section 3, on the EDPB, they form the GDPR’s provisions on cooperation and consistency (Chapter VII).

Despite this lack of formal acknowledgement, the OSS is one of the most important components of the GDPR. The problem it attempts to address lies squarely at the heart of the reasons behind the GDPR’s release. As repeatedly identified by the Comm. modern processing conditions have made questions on jurisdiction or applicable law when several Member States are concerned difficult, if not impossible, to resolve. The GDPR’s direct effect having supposedly resolved the applicable law issue, the question remains, which Member State, and thus SA, would be responsible for handling cross-border cases of personal data processing. The problem is accentuated over the internet, where personal data processing seamlessly crosses national borders, blatantly disregarding issues of applicable law and jurisdiction. This is exactly where the OSS steps in. It promises to provide a workable and efficient solution in multi-jurisdictional cases. In this way it stands guard of the most treasured contribution of the GDPR: Consistent application and thus legal certainty across all of the EU.

The OSS ought not be perceived as a compliance tool for controllers or processors. In fact, it is first and foremost aimed at individuals, assisting them whenever found within cross-border processing of their personal data. Under normal circumstances in such a case they would be found at an impasse, entangled in difficult jurisdictional issues. The OSS offers them the option to file a complaint and see it through in front of their own SA, in the comfort of their own language, country and culture. SAs themselves benefit from the OSS in that they would otherwise be at great difficulty trying to conduct investigations or enforce decisions against controllers that may even not have an establishment within their own jurisdictions. Controllers and processors are only occasional users of the mechanism: Because only complaints and possible infringements are to be handled by it, their only practical gain is that of a sole interlocutor (their lead SA, henceforth “LSA”, see Art. 56 para. 6; → mn. 16 et seq.).

From this point of view, not including the term in the GDPR text appears to be a wise choice. The term one-stop-shop is ultimately a term of the market. What exactly one-stop-shop means may vary substantially depending on market, public administration or even cultural conditions. Using this term to describe what is merely a cooperation and coordination legal mechanism among co-competent state authorities would perhaps create unfounded data subjects’ and controllers’ expectations. Not actually meeting what is imagined being offered would be detrimental to the GDPR purposes. In other words, the mechanism described in this Art. 60 may, or may not, be a one-stop-shop mechanism to a particular data subject or data controller, depending on what they think a one-stop-shop actually is. It may, or may not, be a suitable regulatory tool to fight off infringing practices by big internet companies. The GDPR, wisely, steered clear from using market terms to describe legal procedures.

A one-off mechanism or a principle? In the same context, that of unwarranted market expectations, it is important to clarify whether the OSS in the GDPR is merely a mechanism or also a principle. A mechanism would be invoked at will by its operators in order to address a specific issue, while a principle would apply in all cases falling within a specific category regardless of the will of the actors concerned. The GDPR only referring to the OSS as a mechanism, the question is whether it could also be perceived as a principle applying to all cross-border cases. Such a principle (or a “philosophy” underlying the OSS, as frequently encountered in Council-R documents) would perhaps raise expectations from the LSA to always invoke it whenever cross-border processing occurs.

 

 

[…]