Under Article 4(16)(a) GDPR, the “main establishment” of a data controller with establishments in more than one Member State is the place of its central administration in the EU (“PoCA”) unless the decisions taken on the purposes and means of the processing are taken in another establishment of the controller in the EU, and that latter establishment has the power to have such decisions implemented. The concept of one-stop-shop under article 56 GDPR permits controllers established in multiple EU Member States to deal with one lead supervisory authority (“SA”) when performing cross-border data processing activities. The GDPR provides that this will be the SA of the main establishment of the controller. This was intended to give legal certainty to controllers by requiring them to engage with one SA instead of several local supervisory authorities. Where there is no main establishment in the EU, any SA remains competent to take action against the data controller as appropriate.

On 13 February 2024, the European Data Protection Board (“EDPB”), an independent body tasked with ensuring consistent application of the GDPR and which is composed of the heads of the national data protection SAs, published an Opinion on the meaning of “main establishment.” In particular, it examines the two options under Article 4(16)(a): (i) the controller’s PoCA or (ii) another establishment of the controller in the EU where decisions on the purposes and means of the processing are taken and which has the power to have such decisions implemented. The EDPB considers whether the first option, the controller’s PoCA, should be considered its main establishment only if, as is expressly required for the second option, it takes the decisions on the purposes and means of the processing and has the power to have such decisions implemented. Based on an examination of the background to the GDPR and its context, including Recital 36, the EDPB opines that it should (even though the text of the Article does not state this explicitly).

Further, the EDPB considers that the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the EU of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Therefore, when the decisions on the purposes and means and the power to have such decisions implemented are exercised outside of the EU, there is no main establishment under Article 4(16)(a) GDPR and the one-stop-shop mechanism should not apply.

As to how this is determined in practice, the Board states that the burden of proof in relation to the place where the relevant processing decisions are taken and where there is the power to implement such decisions in the EU ultimately falls on controllers. However, SAs retain the ability to challenge the controller’s claim. In particular, determining a place of central management in the EU (e.g. regional headquarters) constitutes a starting point helping the SAs to identify where the decisions on the purposes and means for the processing are possibly taken and the power to have these decisions implemented. However, there will still be the need for the SAs to assess the place where the decisions on the purposes and means are taken and where there is the power to implement such decisions in the EU before qualifying that establishment (or any other establishment in the EU) as a main establishment.

For more information, click here.