On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR. The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.
We provide below an overview of the EDPB’s opinion.
Existing EDPB guidelines, such as those relating to the identification of a lead supervisory authority (see our previous blog post), have yet to consider in detail the notion of “main establishment” under Article 4(16)(a) of GDPR, defined as “the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”. This opinion intends to address this gap in regulatory guidance, following a request by the French supervisory authority.
Firstly, the EDPB recalls that the GDPR does not permit “forum shopping” with regards to identifying a “main establishment” in the EU. The determination should be based on objective criteria, rather than a subjective designation.
Secondly, the EDPB discusses the meaning of an organization’s “place of main administration”, as interpreted in other areas of EU law, which is commonly understood to be the “real seat” of a company, i.e., the head office from where central management and control are exercised.
In its opinion, the EDPB concludes the following key points:
- A controller’s “place of central administration” may qualify as its “main establishment” if two cumulative conditions are met, namely: the controller (i) takes decisions concerning the purposes and means of processing; and (ii) has the power to have these decisions implemented;
- The one-stop-shop mechanism may only apply if there is evidence that one of the controller’s EU establishments meet the two conditions mentioned in point 1 above;
- Where none of the EU establishments actually take decisions on the means and purposes of processing, or have the power to have those decisions implemented – because those powers are exercised from outside the EU – there should not be any “main establishment” in the EU, and the one-stop-shop mechanism should not apply;
- Relating to the practical application of the concept by supervisory authorities (“SA”), the burden of proof falls on controllers, which also have a duty to cooperate with SAs in relation to this assessment. To substantiate their claim, controllers may rely on elements such as records of processing activities and privacy policies; and
- SAs retain the power to challenge the controller’s claim based on an objective examination of the relevant facts, with the possibility of requesting further information.
***
The Covington Privacy and Cybersecurity team is happy to assist with any inquiries related to establishment in the EU from a GDPR perspective, as well as other data protection and cybersecurity matters.
(This blog post was drafted with the contribution of Diane Valat.)