The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how:

  • the GDPR’s “one stop shop” mechanism has been bedding down; and
  • the number of data subject complaints and data breach

Plans for a single market have been delivered yet another blow, this time as a result of an ECJ preliminary ruling against a relatively unknown Slovakian company. The court ruled in Weltimmo SRO v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, that national data protection authorities (DPAs) may take action against businesses that target residents in their Member State, even if the businesses are not registered in that state.

The ruling is significant for the ‘one stop-shop’ provisions currently being negotiated as part of the General Data Protection Regulation (‘GDPR’). In an earlier blog, we explained that the European Council endorsed the ‘one-stop-shop’ approach, so that in the future, organisations will only need to deal with the DPA having jurisdiction over the location of its EU headquarters, or EU location with delegated data protection responsibility.  The decision in Weltimmo says otherwise: an organisation will be subject to the authority of the DPA if it has an ‘establishment’ within the jurisdiction of the DPA. With the GDPR expected to be finalised later this year, it will be interesting to see how this ruling will be reconciled with the GDPR.
Continue Reading Another day…another set-back for Europe’s plans for a single market

In October 2013, we reported on the move towards a ‘One Stop Shop’ (OSS) approach to EU Data Protection.

The OSS principle aims to create consistency for international organisations to process personal data in multiple member states through the appointment of a single competent authority to monitor the data-controller’s activities across all EU Member States.