The European Data Protection Board (EDPB) has reiterated how organizations should determine their “main establishment” in the EU and when they can rely on the GDPR’s One‑Stop‑Shop (OSS) mechanism. For Ukrainian companies serving EU users, these clarifications affect how you interact with regulators and whether a single “lead supervisory authority” can coordinate cross‑border cases.

What is the One‑Stop‑Shop (OSS)?

The One‑Stop‑Shop is a procedural framework that lets organizations with a genuine EU “main establishment” deal primarily with one data protection authority—the lead supervisory authority (LSA)—for cross‑border processing. In practice, this can reduce administrative overhead, provide more predictable timelines, and streamline investigations.

• Definition: A mechanism under GDPR that centralizes oversight for cross‑border processing.
• Lead supervisory authority: The DPA of the Member State where the main establishment is located.
• Benefit: Fewer parallel procedures and coordinated regulatory outcomes.

How to identify your “main establishment”

The EDPB stresses substance over form. The main establishment is where strategic decisions about the purposes and means of processing are actually made—and where there is authority to implement those decisions.

• Controllers: Must show EU‑based decision‑making on purposes and means.
• Processors: Focus on where main administrative functions occur in the EU.
• Evidence: Governance charts, committee minutes, policy sign‑offs, and implementation records located in the EU.

What the OSS is not

Appointing an EU representative under Article 27 does not create EU “establishment” and does not qualify a company for the OSS. Even with an LSA, “concerned supervisory authorities” across the EU can still be involved and can object to drafts.

• Article 27 ≠ OSS eligibility
• OSS ≠ immunity from other authorities
• Establishment requires real decision‑making in the EU

Implications for Ukrainian companies

If you target EU users or monitor behavior in the EU but lack a genuine EU establishment, you cannot rely on the OSS. You must appoint an EU representative and be ready to engage with multiple authorities when necessary.

• Article 27 representative: Mandatory disclosure in your privacy notice.
• Multi‑authority readiness: Consolidate records and response templates.
• Timelines: Align incident response with the 72‑hour breach notification (Art. 33 GDPR).

Practical compliance steps

• Governance mapping: Document where privacy decisions are taken and implemented.
• Records of Processing (RoPA): Keep a consolidated, regulator‑ready version.
• Transfers to Ukraine: Use SCCs, conduct TIAs, and apply supplementary measures.
• Public disclosures: Keep representative details, purposes, and contact points clear.

Key takeaway

The OSS streamlines oversight for organizations truly established in the EU. For non‑EU companies, Article 27 representation and multi‑authority engagement remain essential pillars of GDPR compliance.