On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States.  In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.

In summary, the CJEU decided on the five legal questions presented as follows:

(1) SAs must respect the one-stop-shop principle.  According to the CJEU, “authorities concerned” (in contrast to the Lead SA) should not engage in enforcement actions except in exceptional circumstances, such as emergency cases, where the Lead SA indicates it will not intervene or where the Lead SA is not cooperative.  This same rationale applies to the SAs’ competence to bring a case before a national court – in principle, they do not have such competence unless one of the exceptions to the one-stop-shop principle applies.  Or in the words of the Court:

“[…] in relation to the cross-border processing of personal data, the competence of the lead supervisory authority for the adoption of a decision finding that such processing is an infringement of the rules […] constitutes the rule, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception” (para. 63).

The CJEU rejected arguments raised by the Belgian SA that advocated for a broader interpretation of the right of anSA concerned to bring a case before a national court.

Turning to the other questions presented, which assume that the SA concerned has competence to bring a case, the CJEU held as follows:

(2) An SA can bring a case before a court in an EU Member State, whether or not the controller has its main establishment (or indeed any establishment) in that Member State.

(3) The CJEU confirmed again that the concept of “processing in the context of the activities of an establishment” (Art. 3(1) GDPR), first articulated in the well-known Google Spain case, must be interpreted broadly.  Accordingly, an SA can bring a case against the main establishment of the controller or against any establishment of the controller if the processing of personal data concerned occurs in the context of that establishment’s activities.

(4) Cases initiated by an SA prior to the GDPR entering into force can proceed, regardless of the one-stop-shop principle now available under Article 56 GDPR.

(5) Article 58(5) GDPR, which allows SAs to bring alleged GDPR violations to court, has direct effect.  As such, EU Member States do not have to elaborate on this issue in their national laws for an SA to assert its competence in this manner.