EDPB issues opinion on main establishment rules for data controllers
In February 2024, the European Data Protection Board (EDPB) adopted the “Opinion on the notion of main establishment on the criteria for the application of the One-Stop-Shop mechanism” (the Opinion) following a request by the French Data Protection Authority (DPA) under Article 64(2) of the General Data Protection Regulation (GDPR). The Opinion sheds light on the criteria for the application of the One-Stop-Shop (OSS) mechanism and in particular regarding the notion of controller’s “place of central administration” in the Union.
The Opinion provides clarity on the concept of a controller's main establishment, particularly in cases where decisions regarding data processing occur outside the EU. Anu Talus, Chair of the EDPB, emphasised the significance of this notion in determining the lead supervisory authority in cross-border data protection cases. The Opinion aims to assist Data Protection Authorities (DPAs) in identifying the relevant DPA responsible for oversight.
Key points outlined in the opinion include:
- Main Establishment Definition: a controller's "place of central administration" in the EU qualifies as a main establishment only if:
- it takes the decisionson the purposes and meansof the processing of personal data; and
- it has the power to implement these decisions.
- OSS Application: The OSS mechanism applies only when one of the controller's establishments within the EU makes decisions about data processing and has the power to enforce these decisions. If decisions are made outside the EU, there is no main establishment and the OSS mechanism does not apply.
- Burden of proof falls to the controller: The burden of proof falls on controllers to demonstrate the above conditions, and supervisory authorities can challenge claims based on objective examination. Determining a place of central management (e.g. regional headquarters) serves as a starting point, but further assessment is needed to qualify an establishment as a main one.
The Opinion clarifies that the controllers' processing activities will be scrutinised in relation to the "specific processing" involved. It underscores that having an EU main establishment for certain processing does not automatically designate it as the main establishment for all processing activities. In other words, the determination of a main establishment is context-specific and must be made considering the distinct characteristics and nature of each processing activity rather than applying a blanket designation across all operations.
In addition, the Opinion warns that "forum shopping" for identifying the main establishment is prohibited, emphasising that it must be determined objectively and not subjectively designated, as outlined in Recital 36 of the GDPR.
The EDPB’s official press release can be found here.
The Opinion on the notion of main establishment on the criteria for the application of the One-Stop-Shop mechanism can be accessed here.