In the draft guidelines 3/2018 on the territorial scope of application of the DSGVO (Article 3), the EDPB also confirms that, in the absence of an establishment in the Union, a controller or processor cannot benefit from the one-stop shop mechanism provided for in Article 56 of the DSGVO. The DSGVO’s cooperation and consistency mechanism applies only to controllers or processors with one or more branches within the European Union.
This means that in the event of data protection violations, all EU data protection authorities must be notified in the areas in which data subjects are present.