A decision of the European Court of Justice in a lawsuit filed by the Belgian Data Protection Authority against Facebook in front of the Belgian Court helps to clarify the interpretation among the so-called mechanism of the “one-stop-shop” and other GDPR disposals.
On the 15th of June 2021, the European Court of Justice has pronounced itself on a lawsuit filed by the Belgian Data Protection Authority against Facebook in 2015 on the recollection of personal data of Belgian citizens.
The case has provided the opportunity to assess, among other things, the portability of the article 58, paragraph 5, of the GDPR, which requires that any supervisory authority of a member state has the power to propose an action in front of national courts.
In particular, there was the need to clarify how this disposal is adopted to the so called mechanism of “one-stop-shop”, based on which the supervisory authority of the country in which the data controller has its main establishment (the main supervisory authority) can, regularly, decide if the data controller has breached the legislation of personal data protection.
In its decision, the EUCJ has confirmed, among other things, that it is possible in some situations for a supervisory authority which is not the main supervisory authority to propose an action in front of a court of national judges against a company which has its main establishment in another member state, pursuant to the article 58, paragraph 5. Anyway, this shall be done in compliance with the mechanism of the “one-stop-shop” and can be required in specific situations, for example when the main supervisory authority has indicated that it will not process the case.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA