Lessons from Google’s Geographical GDPR Goof

Moreover, GDPR is known for a “one-stop shop mechanism” that generally allows organizations to be subject primarily to the DPA governing the member-state in which the organization’s principal place of business within the EU is located. According to the CNIL’s ruling (link in French), justifying its authority:

In other words, Google’s principal place of EU business specifically related to the data practices at issue was in the US — where no EU member-state’s DPA has inherent priority over another. How to keep a one-stop shop

According to Deborah Shinbein Howitt, Director at Denver law firm Lewis Bess Williams & Reese, there are some takeaways here to help an international organization benefit from the “one-stop shop” jurisdiction it prefers — and not botch things so badly as to suffer Google’s fate:

“[T]he company must ensure that the data controller and the key decision makers regarding personal data are in fact located in the desired country,” says Shinbein Howitt.

Source: www.dmnews.com