EDPB’s register of one-stop-shop decisions now live

The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Fines imposed by LSAs included:

  • €8,000 fine imposed by the Maltese LSA for breach of Art.15 GDPR, where the controller did not have adequate procedures in place to deal with a data subject access request. This resulted in the complainant being deprived of the right of access to her personal data within the statutory time-limit.​
  • €15,000 fine imposed by the Maltese LSA for breach of Art.21 GDPR, where the controller did not have adequate procedures in place to deal with the complainant’s right to object. The controller also infringed Art. 31 GDPR by not cooperating with the LSA. A further €2,000 fine was imposed for breaching several provisions of national law relating to unsolicited communications.
  • €61,500 fine (2.5% of the controller’s total annual worldwide turnover) imposed by the Lithuanian LSA for breach of the data minimisation and storage limitation GDPR principles (Art. 5); breach of the transparency requirements (Art.14); unlawful processing of personal data (Art.6); failure to implement appropriate security measures (Art.32), and failure to notify the data breach to the SA (Art.33).

Due to national legal restrictions, none or only some decisions of certain supervisory authorities (SAs) will be available on the one-stop-shop register, including decisions by certain German regional SAs, the Luthianian SA, Netherlands SA, and the Spanish SA. Decisions of some other SAs will not include personal data relating to natural or legal persons.

For more information on this topic please contact Davinia Brennan, Associate or any member of the A&L Goodbody Commerical & Technology team.

Date published: 30 June 2020