In the judgment of June 15th 2021, the Grand Chamber of the Court of Justice of the European Union clarified the conditions for the exercise, by national supervisory authorities, of powers regarding the cross-border processing of data.
The Cort held that “under certain conditions, a national supervisory authority may exercise its power to bring any
alleged infringement of the GDPR before a court of a Member State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing, even though that authority is not the lead supervisory authority with regard to that processing”.
The judges specified all the circumstances under which an authority can exercise the aboved mentioned powers. They also added that the GDPR provides for the ‘one-stop shop’ mechanism, based on an allocation of competences between one lead supervisory authority and the other national supervisory authorities concerned, which requires cooperation between the two authorities. Moreover, in the context of that cooperation, the lead supervisory authority may not ignore the views of the other supervisory authorities.