The GDPR was created in such a manner to provide the same data privacy rights to data subjects throughout the EEA. The European Data Protection Board (EDPB) has provided a report on how this is working so far, “First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities”.
The overview speaks specifically to the articles within the GDPR which facilitate an “all for one and one for all” mentality. Article 56, provides for a lead supervisory authority reducing redundancies in the work supervisory authorities are doing. Article 60, goes on to explain the One-Stop-Shop relationship between the lead supervisory authority and others supervisory authorities which may be involved in a single case. Article 61, provides guidance regarding how supervisory authorities shall assist one another in maintaining consistent implementation of the GDPR, such as providing information when requested. Article 62, extends the support provided in art. 61 to provide opportunities to work even more closely together through joint operations, such as joint investigations. In order to provide additional guidance if an agreement cannot be reached between the different supervisory authorities, Articles 64, 65 and 66 provide powers to the EDPB to resolve such disputes and provide opinions.
All of the mechanisms built into the GDPR to facilitate the regulation being implemented in a consistent manner and cases being handled in a way that prevents duplication of efforts have been successful. Within the first few months after the application of the GDPR:
- 45 One-Stop-Shop procedures, 6 of which have already accepted the final decisions of the lead supervisory authority;
- 642 requests to identify a lead supervisory authority in cross-border cases have been initiated, 306 of which have been successfully closed and none have been disputed;
- 444 requests have been made for formal assistance from other supervisory authorities, 353 of these have been completed, being answered within 23 days, and the 91 remaining cases are still ongoing;
- and the EDPB has endorsed 16 guidelines prepared by their predecessors, the Article 29 Working Party, and adopted 5 additional guidelines.
The EDPB states that some mechanisms, such as dispute resolution or joint operations, have yet to be put into practice because the supervisory authorities are truly working together to implement and enforce the GDPR consistently throughout the EEA.
The statistics of cases from the last nine months show a functioning system of organizations who all have one goal in mind, protecting personal data of data subjects in the EEA. In the overview shows, through documentation of cross boarder cases/cooperation, enforcement and supervisory authorities’ growth that not only is the system working but the need for such a system is recognized and supported by the individual nations within the EEA.