EDPB adopts opinion on “main establishment” of a controller in the EU
The question
What is meant by “main establishment” under article 4(16)(a) of the GDPR for the purposes of determining the application of the one-stop-shop mechanism?
The key takeaway
The European Data Protection Board (EDPB) has clarified in a recent Opinion that for a controller’s “place of central administration” or “another establishment of the controller” to be considered a “main establishment” for the purposes of Article 4(16)(a), it must be based in the EU and take the decisions on the purposes and means of the processing of personal data and have power to have these decisions implemented.
The background
The GDPR contains a “one-stop-shop mechanism” which allows controllers engaged in cross border EU data processing and who have a “main establishment” to deal with a single lead supervisory authority for most of its processing activity. The supervisory authority of the EU member state where that controller’s “main establishment” is located will be the lead supervisory authority.
There has previously been some ambiguity in Article 4(16)(a) as to whether the same criteria apply to “places of central administration” and other “establishments of the controller” when assessing if a controller has a “main establishment”.
On 10 October 2023, the French Supervisory Authority (FR SA) requested the EDPB to issue an opinion on the notion of “main establishment” of a controller under Article 4(16)(a), and on the criteria for the application of the one-stop-shop mechanism, particularly in reference to a controller’s “place of central administration”.
The development
First, the EDPB noted that “place of central administration” is not defined in the GDPR but should be understood in the wider context of EU law as being the place where the most important decisions of an organisation are taken.
With regard to the specific question raised by the FR SA, the EDPB concluded that:
- a controller’s “place of central administration” can only be considered as a “main establishment” under Article 4(16)(a) if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented. A controller’s “place of central administration” will therefore not necessarily be a “main establishment”, and “another establishment” of the controller may instead be its “main establishment” if it is taking the decisions on the purposes and means of the processing of personal data and has the power to have those decisions implemented;
- a controller’s “place of central administration”/other establishment can also only be considered a “main establishment” if it is in the EU. Therefore, when the decisions on the purposes and means of processing and the power to have such decisions implemented are exercised outside of the EU, there will be no “main establishment” under Article 4(16)(a) GDPR, and the one-stop-shop mechanism should not apply.
Why is this important?
Where organisations rely on the one-stop-shop mechanism, their lead supervisory authority will have primary responsibility for supervising the majority of their processing activity.
Organisations need to understand how they are regulated, and by clarifying what is meant by a “main establishment” under article 4(16)(a) of the GDPR, this EDPB opinion provides useful guidance on when the one-stop-shop mechanism might apply, and if it does, which supervisory authority is likely to have principal responsibility for supervising a controller organisation’s processing activity.
Any practical tips?
The burden of proof in demonstrating where a controller’s processing decisions are taken and where the power to implement such decisions lies ultimately falls on controllers, and so controller organisations will need to carry out a self-assessment if they intend to rely on the one-stop-shop mechanism. The EDPB suggests as an example that an organisation’s privacy policy and its Article 30 record of processing activity may be relevant elements to consider as part of this assessment.
Controllers should also note that all competent supervisory authorities (ie not just the lead authority) retain the right to challenge any such assessment, and have a corresponding right to request further information from controllers. Controller organisations should therefore carry out any assessment objectively by reference to their actual processing activities, whilst being mindful that the GDPR does not permit “forum shopping” in the identification of the “main establishment”.
Spring 2024
Stay connected and subscribe to our latest insights and views
Subscribe Here