Privacy & Cybersecurity Law Blog

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

The Opinion was requested by the French Data Protection Authority (the “CNIL”) and aims at clarifying the notion of a data controller’s “main establishment” in the EU within the meaning of Article 4(16)(a) of the GDPR. Article 4(16)(a) defines the concept of “main establishment” as follows: “the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”. The main establishment concept is a cornerstone of the GDPR’s one-stop-shop as it is key in determining which of the EU data protection authorities, if any, is the lead supervisory authority in cross-border data protection cases.

Key takeaways from the Opinion include:

• A data controller’s “place of central administration” in the EU can only be considered a main establishment if that establishment takes the decisions on the purposes and means of data processing activities and it has the power to implement these decisions.
• The one-stop-shop can only apply if there is evidence that one of the EU establishments takes the decisions on the purposes and means of the relevant processing activities and has the power to implement these decisions. This means that if decisions on the purposes and means of the relevant processing are taken outside of the EU (e.g., at the mother company in a third country, such as the U.S.), there is no main establishment within the meaning of Article 4(16)(a) of the GDPR and the one-stop-shop does not apply.
• The burden of proof in relation to the “place of central administration” ultimately falls on data controllers, who can leverage various elements to make such determination, including the records of processing activities maintained under Article 30 and privacy policies. Data controllers have a duty to cooperate with supervisory authorities in doing so.
• Supervisory authorities can challenge the data controller’s assessment by objectively scrutinizing the relevant facts and seeking further information as necessary. Throughout this process, supervisory authorities must cooperate and jointly agree on the level of detail suitable for the specific case under consideration.
• Determining the place of central administration is only the initial step in helping supervisory authorities pinpoint where decisions on the purposes and means of data processing are taken, along with identifying where the power to implement such decisions lies. Supervisory authorities must assess whether key processing decisions are made in another establishment of the controller that possesses the power to implement them. As part of the GDPR cooperation mechanism under Article 60(1) of the GDPR, supervisory authorities’ assessment on the existence of a main establishment must be shared with all concerned supervisory authorities to reach a consensus on the subject matter.

In the Opinion, the EDPB also recalled the general objective of the one-stop-shop mechanism, which is to reduce legal uncertainty and fragmentation in the application of the GDPR across the EU, as well as enabling organizations operating in several EU Member States and engaging in cross-border processing activities to benefit from a single point of contact, i.e., the lead supervisory authority.

Read the EDPB’s Press Release and Opinion.