Lokke Moerel and Ronan Tigner authored an article for IAPP, clearing up the Court of Justice of the European Union's ruling on the one-stop shop mechanism (OSS). The judgement was widely covered in the media, reporting that companies “can’t limit GDPR enforcement to lead watchdog,” thus undermining the OSS of the EU General Data Protection Regulation. Lokke and Ronan explain why these media reports are inaccurate.
“Contrary to these media reports, the judgment does not open wide the door for each supervisory authority (SA) to launch its own court proceeding regarding cross-border processing. Following the opinion of its Advocate General (AG), the CJEU fully upholds the OSS, under which the SA of the “main establishment” of a company in the EU (Lead SA) has a general competence to oversee cross-border processing. That competence extends not only to enforcement by the SA but also to launching court proceedings,” they write.