On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR.  The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.  

We provide below an overview of the EDPB’s opinion.

Existing EDPB guidelines, such as those relating to the identification of a lead supervisory authority (see our previous blog post), have yet to consider in detail the notion of “main establishment” under Article 4(16)(a) of GDPR, defined as “the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”.  This opinion intends to address this gap in regulatory guidance, following a request by the French supervisory authority.

Firstly, the EDPB recalls that the GDPR does not permit “forum shopping” with regards to identifying a “main establishment” in the EU.  The determination should be based on objective criteria, rather than a subjective designation.

Secondly, the EDPB discusses the meaning of an organization’s “place of main administration”, as interpreted in other areas of EU law, which is commonly understood to be the “real seat” of a company, i.e., the head office from where central management and control are exercised.

In its opinion, the EDPB concludes the following key points:

  • A controller’s “place of central administration” may qualify as its “main establishment” if two cumulative conditions are met, namely: the controller (i) takes decisions concerning the purposes and means of processing; and (ii) has the power to have these decisions implemented;
  • The one-stop-shop mechanism may only apply if there is evidence that one of the controller’s EU establishments meet the two conditions mentioned in point 1 above;
  • Where none of the EU establishments actually take decisions on the means and purposes of processing, or have the power to have those decisions implemented – because those powers are exercised from outside the EU – there should not be any “main establishment” in the EU, and the one-stop-shop mechanism should not apply;
  • Relating to the practical application of the concept by supervisory authorities (“SA”), the burden of proof falls on controllers, which also have a duty to cooperate with SAs in relation to this assessment.  To substantiate their claim, controllers may rely on elements such as records of processing activities and privacy policies; and
  • SAs retain the power to challenge the controller’s claim based on an objective examination of the relevant facts, with the possibility of requesting further information.

***

The Covington Privacy and Cybersecurity team is happy to assist with any inquiries related to establishment in the EU from a GDPR perspective, as well as other data protection and cybersecurity matters.

(This blog post was drafted with the contribution of Diane Valat.)

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.