top of page

Do you know about the one-stop-shop mechanism in the GDPR?

If you’re an EU-based business or if you do business within the EU, there’s something you need to know about how GDPR is managed across the member states. It’s this:

The GDPR has created a one-stop-shop mechanism that makes it simpler and cheaper for organisations within the EU to process personal data across EU borders.

Here’s how the mechanism works:

· Every country has their own supervisory authority – an independent body that monitors the application of GDPR in their territory. When necessary, these supervisory authorities work together, exchanging information, and mutually assisting with cross-border monitoring and investigation.

· In the event of a data breach that needs reporting, you only have to report the breach to your country’s supervisory authority (referred to as the lead supervisory authority). That’s true even if the data breach affects other EU territories.

· If the data breach is severe enough to warrant court proceedings and fines, your lead supervisory authority will almost always be the only body entitled to enforce this (there are rare exceptions).

· Other local supervisory authorities will not usually be entitled to launch their own court proceedings against you. They are required to liaise with your lead supervisory authority. However, they can join the lead supervisory authority for assistance and for their share of fines imposed.

Here’s what this means for non-EU businesses (post-Brexit, this includes the UK):

· If your business is based outside the EU but is involved in a data breach within EU territories, you will not benefit from the GDPR one-stop-shop mechanism.

· You will have to report the breach to – and work with - the supervisory authority in every EU country from which you process personal data.

· The individual supervisory authorities from each country involved will each be entitled to launch court proceedings against you, and to impose fines.

· However, there are organisational changes that can be taken to establish your GDPR centre of decision and accountability within the EU, so that you can benefit from the one-stop-shop mechanism.

Want to find out more? Contact PEO Legal.

At PEO Legal, we provide legal and compliance advice for professional employer organisations and staffing companies around the world. If you want to know more about the one-stop-shop mechanism - or any other point of cross-border employment law - contact us, today.


bottom of page