GDPR: Sanctions can be imposed in multiple countries

11. 1. 2023
GDPR: Sanctions can be imposed in multiple countries

The European data protection system, the famed GDPR, has undergone a major change following a ruling by the Court of Justice of the European Union. This change consists in partially breaking through the principle of the single supervisory authority jurisdiction derived from the seat of the controlled company. This principle meant that compliance, breaches and potential sanctions were overseen by one specific authority in one single country.

There was little to complain about in theory, but in practice it meant that companies that found it worthwhile to optimize their headquarters, by whatever means, ended up grouped in one country - Ireland. As these were companies such as Meta, Google and Twitter, the Irish supervisory authority has been hopelessly and long term overwhelmed.

The Court therefore ruled that in cases of particular merit and where a breach of the GDPR occurs directly in a particular state, it is possible to break thought this jurisdiction and exercise supervision through local authorities in other Member States. The positives of this decision are undoubtedly that states will now be able to coordinate their supervisory duties more effectively between authorities of multiple states (as the court itself mentions). However, on the flip side, the entities obliged under the GDPR, which are not just giant tech companies, this brings the potential for a crippling amount of supervisory proceedings.

Even the Czech Office for Personal Data Protection can also deal with complaints about personal data breaches that have occurred in the Czech Republic (not only in the everyday use of services such as Facebook or Google).

Newsletter - Stay up to date

We deliver directly to your e-mail

Copy image to check against spam.
A test to determine whether or not you are a human user in order to prevent automated spam.
© Schaffer & Partner 2023 | Created by:
Move up