Certified Information Privacy Professional (CIPP): EU - One-Stop-Shop Mechanism and Cross-Border Enforcement

What This Is

The One?Stop?Shop (OSS) mechanism is the GDPR’s “single?point?of?contact” system that lets a lead supervisory authority (LSA) coordinate supervision of cross?border processing activities for the entire EU. It is critical because it prevents a multinational company from having to answer dozens of separate investigations. Imagine a European?based e?commerce platform that processes customer orders in Germany, France, and Spain, and stores the data on servers in Ireland. Under the OSS, the Irish data?protection authority (the LSA) will lead any investigation, while the German, French, and Spanish authorities cooperate through the European Data Protection Board (EDPB).

Key Terms & Provisions

• Lead Supervisory Authority (LSA): The authority in the EU Member State where the main establishment of the data controller (or processor) is located (GDPR Art.?55). It coordinates the cross?border investigation.
• Main Establishment: The place where the central administration of the controller/processor is situated (GDPR Art.?4(7)). Example: a U.S. tech firm’s EU headquarters in Dublin.
• Territorial Scope (GDPR Art.?3): Applies to any processing of personal data of individuals in the EU, regardless of where the controller is physically located.
• Co?lead Supervisory Authority: When a processor has its main establishment in a different Member State than the controller, the processor’s authority becomes a co?lead (GDPR Art.?55(2)).
• European Data Protection Board (EDPB): The EU?wide body that issues binding decisions, guidelines, and ensures consistency among national authorities (GDPR Art.?61?63).
• Consistency Mechanism (GDPR Art.?63?64): A formal process for resolving disputes between supervisory authorities, culminating in a “binding decision” from the EDPB.
• Cross?Border Data Transfer (Art.?44?50): Transfers outside the EU must rely on adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). The OSS still applies to the processing within the EU.
• Joint Controllership (Art.?26): When two or more controllers jointly determine the purposes and means of processing, they must allocate responsibilities and designate a lead controller for the OSS.
• Supervisory Authority Cooperation (Art.?56?57): Authorities must exchange information, provide mutual assistance, and may conduct joint investigations.
• Enforcement Powers (Art.?58?59): Includes corrective powers (orders, bans), disciplinary powers (fines up to €20?million or 4?% of global turnover), and the right to impose a temporary or definitive limitation on processing.

Step?by?Step / Process Flow

1. Map the Cross?Border Structure – Identify the controller’s and any processors’ main establishments and any joint?controller arrangements.
2. Determine the Lead Supervisory Authority – The authority in the Member State of the controller’s main establishment (or the joint?controller’s lead). Document the LSA and any co?lead authorities.
3. Notify the LSA (if required) – For high?risk processing (e.g., large?scale profiling), submit a DPIA and, where applicable, a prior consultation with the LSA.
4. Coordinate with Local Authorities – Share the DPIA, data?flow diagrams, and security measures with co?lead authorities; use the EDPB’s “single point of contact” portal for updates.
5. Respond to Investigations – When the LSA initiates an inquiry, provide evidence centrally; co?lead authorities will receive copies automatically via the consistency mechanism.
6. Implement Binding Decisions – If the EDPB issues a binding decision, apply the corrective measures across all affected Member States and document compliance for audit purposes.

Common Mistakes

CIPP Exam Insights

1. Lead vs. Co?lead Authority – Exams love to ask which authority leads the investigation when a processor’s main establishment is in a different Member State. Remember: controller = lead; processor = co?lead.
2. Article Numbers – Art.?55 (lead authority), Art.?56 (co?lead), Art.?63?64 (consistency mechanism). Memorize these as “55?56?63?64 = OSS flow.”
3. Joint?Controller Allocation – A frequent trap: “If two controllers share a website, who is the lead?” Answer: the controller that determines the purposes of processing (or the one designated in the joint?controller agreement).
4. EDPB Binding Decisions – Know that once the EDPB issues a binding decision, all Member States must enforce it; the LSA cannot override it.

Quick Check Questions

1. Scenario: A French retailer processes customer data in France, but its IT infrastructure is hosted in a data centre in the Netherlands. The retailer receives a data?subject access request (DSAR) from a German consumer.
   Answer: The Irish (Netherlands) supervisory authority is the LSA because the retailer’s main establishment (head office) is in France, but the processing occurs in France; therefore, the French authority is the LSA. The DSAR must be handled under French law, and the French authority will coordinate any cross?border follow?up.
   Explanation: The LSA is tied to the controller’s main establishment, not the location of the data centre.

2. Scenario: A U.S. SaaS provider with an EU subsidiary in Ireland processes EU employee data for a client in Spain. The Spanish authority opens an investigation.
   Answer: The Irish authority is the LSA (controller’s main establishment), and the Spanish authority becomes a co?lead. The Irish authority will lead the investigation, with the Spanish authority cooperating via the EDPB.
   Explanation: The LSA is determined by the controller’s main establishment; the client’s location creates a co?lead authority.

3. Scenario: A joint?controller agreement between a German health?tech firm and an Italian hospital designates the German firm as the lead controller. A data breach occurs affecting patients in Italy. Who issues the enforcement notice?
   Answer: The German supervisory authority (lead controller’s LSA) issues the notice, but the Italian authority may issue supplementary measures after the EDPB’s consistency decision.
   Explanation: The lead controller’s LSA has primary enforcement power under the OSS.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?55 – Determines the Lead Supervisory Authority (controller’s main establishment).
2. GDPR Art.?56 – Identifies the Co?lead Authority (processor’s main establishment).
3. GDPR Art.?63?64 – Consistency Mechanism: EDPB issues binding decisions to resolve disputes. Exam trap: “Consistency” is not optional; it is mandatory.
4. GDPR Art.?3 – Territorial scope applies to any processing targeting EU data subjects, even without a physical EU presence.
5. Joint?Controller Rule (Art.?26) – Must designate a lead controller for OSS purposes.
6. Maximum fine – €20?million or 4?% of global turnover (whichever is higher).
7. EDPB – Replaced the Article?29 Working Party; its decisions are binding on all Member States.
8. Cross?border transfer – SCCs, BCRs, or adequacy decisions (Art.?44?50) do not affect OSS coordination.
9. Supervisory cooperation (Art.?57) – Authorities must exchange information promptly and may conduct joint investigations.
10. Lead authority’s powers (Art.?58) – Can issue orders, bans, and fines; co?lead authorities can only act after the EDPB’s consistency decision.

Use this guide to walk through the OSS workflow, spot the exam?style traps, and keep the key article numbers at your fingertips. Good luck!