The GDPR’s “one-stop-shop” mechanism can only apply to companies with a “lead supervisory authority,” and the latter requires the existence of at least a single establishment in the E.U. Companies without an establishment in the E.U. are legally incapable of designating a lead supervisory authority or having one designated for them. In this first installment of a two-part guest article series, Frank Fine, director at EC Competition Law Advocates in Brussels, lays out how, without a lead supervisory authority, companies lacking an E.U. establishment are subject to greater burdens than those with a single or main E.U. establishment. He also addresses how a lead authority can be identified when a company has an E.U. presence. The second article
will discuss options when there is no E.U. presence and the potential unintended consequences of the GDPR that may damage the law’s credibility if not addressed. See “Irish DPC Helen Dixon on GDPR Enforcement Hurdles One Year In
” (May 29, 2019).