Important question about the GDPR “one –stop shop” mechanism referred to the ECJ

On May 8, 2019, the Brussel’s Court of Appeal referred certain questions to the Court of Justice of the European Union (CJEU) to ensure that the Belgian Data Protection Authority (DPA) can pursue the case against Facebook also after the GDPR entered into force. In particular, the questions is whether the one-stop shop mechanism (which allows for a new cooperation mechanism between EU DPAs) also allows a DPA to initiate a proceeding before an EU court if it is not the lead supervisory authority.[1] 

Read here on one-stop shop.

By way of background.

In 2018, the Belgian Court of First Instance found to be competent and deemed Facebook liable for violation of Belgian privacy law for using cookies to track behaviors of users browsing from Belgium. See here. Facebook appealed.

The Belgian Court of Appeal decided to refer the case to the CJEU to rule on whether the Belgian DPA has the authority to pursue its legal action against Facebook. See here.

The question that the ECJ will have to decide is substantially this: can a DPA, which not the lead supervisory authority, sue a controller in front of the DPA’s domestic court for cross-border processing violation? [1]

We look forward to the ECJ’s interpretation of this important point?


The preliminary questions are available at…

Read here for some examples of application of one-stop shop?

Read more here on the erosion of the one-stop shop?


For more information on how to make your privacy policy compliant with EU data protection, contact Francesca Giannoni-Crystal and Federica Romanelli


[1]. Preliminary Questions.

  • Are the articles of the GDPR, which determine the competence of and cooperation between supervisory authorities in the context of cross-border processing activities, read in conjunction with the articles of the Charter of Fundamental Rights of the European Union which set out the principles of respect for private and family life, protection of personal data, and the right to an effective remedy and a fair trial, to be interpreted as meaning that a supervisory authority which has the power to initiate legal proceedings against infringements of the GDPR before a domestic court cannot exercise that power in relation to cross-border processing, if it is not the lead supervisory authority?
  • Does it make a difference if the controller of the cross-border processing does not have its main establishment in that member state, but has another establishment there?
  • Does it make a difference whether the national supervisory authority initiates the proceedings against the main establishment of the controller or against the entity established in its own member state?
  • Does it make a difference if the national supervisory authority has already initiated the proceedings before the date upon which the GDPR entered into force (May 25, 2018)?
  • If the response to the first question is positive, does this mean that the article of the GDPR, which provides that each member state’s domestic law must grant its supervisory authority the power to bring infringements of the GDPR before judicial authorities and to otherwise engage in legal proceedings where appropriate, has direct effect, such that a national supervisory authority can rely on this article to initiate or continue judicial proceedings against private actors, even if this article has not specifically been transposed into member state law, notwithstanding that such is required?
  • If the response to the previous questions is positive, could the result of such proceedings obstruct a contrary finding of a lead supervisory authority, where the lead supervisory authority would be investigating the same or similar cross-border processing activities in accordance with the mechanism of the GDPR which determines the competence of and cooperation between supervisory authorities in the context of cross-border processing activities?