CJEU ruling on the competence of a non-lead supervisory authority to bring legal proceedings

In a judgment dated 15 June 2021 further to a request for preliminary ruling, the Court of Justice of the European Union (“CJEU”) confirmed that a national supervisory authority concerned (“SAC”)1 , which is not the lead supervisory authority (“LSA”)2 , may exercise its power to initiate or engage in legal proceedings in relation to an instance of cross-border data processing3   that would violate the GDPR. That statement applies notwithstanding whether or not the controller has an establishment on the territory of the SAC and whether the SAC acts against the main establishment of the controller on its territory or against another establishment.

However, any such power of the SAC may only be exercised in compliance with the procedure of the so-called “one-stop-shop” mechanism, under which the competence of the LSA is the rule and the competence of the SAC is the exception.

The “one-stop-shop” mechanism was set to ensure a consistent and homogeneous application of the GDPR through the European Union and avoid the risk that various supervisory authorities take different approaches with regard to cross-border processing. In the event of a cross-border processing, the LSA and the SAC must cooperate, including sharing information and providing mutual assistance in order to reach a consensus and issue a single decision in relation to that cross-border processing.

In this context, the LSA cannot ignore the views of the other supervisory authorities: any relevant and reasoned objection, if not followed by the LSA, has the effect of blocking the adoption of the draft decision, which must be submitted to the European Data Protection Board (“EDPB”) to obtain a binding decision.

A first exception to the competence of the LSA to bring legal proceedings is under Article 56(2) of the GDPR providing that an SAC is competent where the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. However, the SAC will be competent only where the LSA decides not to handle the case (Article 56(3) of the GDPR).

A second exception is the urgent need to act: the SAC may adopt provisional measures on its territory for a maximum period of three months. Final measures may be adopted by requesting an urgent opinion or binding decision from the EDPB. In addition, if the LSA does not provide the information requested by the SAC in the context of the mutual assistance procedure, the SAC may adopt provisional measures for which the urgent need to act is presumed and for which a binding decision from the EDPB is required.

As a third exception, in the case at hand, the CJEU restated that the “one-stop shop” mechanism and the competence of the LSA as a rule does not apply where the GDPR itself does not apply. In particular, the CJEU notes that following Opinion 5/2019 of the EDPB, storing and obtaining access to personal data by means of cookies fall within the scope of Directive 2002/58/EC4  and does not result in the application of the “one-stop shop” mechanism. “On the other hand, the court says, all earlier processing operations, and all subsequent processing activities, with respect to that personal data, by means of other technologies, do fall within the scope of Regulation 2016/679, and consequently within the scope of the ‘one‑stop shop’ mechanism.”

1 i.e. a supervisory authority which (i) has received a complaint or which is established in a Member State where (ii) the controller or processor is also established, or (iii) the data subjects are substantially affected or likely to be substantially affected by the processing.
2 i.e. the supervisory authority of the main establishment or of the single establishment of the controller or processor.
3 i.e. any processing taking place in the context of the activities of establishments in more than one Member State of a controller or processor or in the context of the activities of its single establishment in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) as amended by Directive 2006/24/EC and Directive 2009/136/EC.