As one of the key drivers abaft creating a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop assumption seems like a sensible addition. However, the principle is not as simple in practice as it can appear on paper, and the original Commission proposal has been modified heavily by its consequent GDPR adoptions.
The idea from the Commission in article 15 is by far the simplest and most general approach: “Where the processing of personal data takes place in the context of the exercise of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main action of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States.”
The Parliament took issue over the potential infringement of data subject rights when they are not able to easily lodge a complaint with a adequate lead DPA if, for instance, contact is made difficult by language or financial means. In article 54a of its adopted text, the Parliament still relies on a lead DPA for the doling out of legal remedies, but it requires the cooperation of all concerned DPAs.The bulk of concerned DPAs will also be greatly increased as a provision is also combined for data subjects to lodge complaints with their local DPA in order for it then to work with the lead DPA on behalf of the data subject.Finally, the role of the Data Protection Board is expanded in its ability to decide in the situation of an unclear lead DPA and its ultimate ruling in the event of the invoking of the consistency mechanism.