On February 13 2024, the European Data Protection Board (EDPB) adopted Opinion 04/2024 (the Opinion), which sheds light on the notion of a controller's main establishment under the EU General Data Protection Regulation (GDPR). This Opinion provides clarity on the criteria for applying the one-stop shop mechanism, an essential aspect of GDPR compliance.
The significance of main establishment in reporting personal data breaches
The main establishment concept plays a pivotal role in determining which EU data protection authority serves as the lead supervisory authority in cross-border data protection cases. This mechanism streamlines the process for organisations, allowing them to liaise with a single lead supervisory authority for most processing activities, including reporting personal data breaches.
Background
The Opinion was prompted by a request from the French supervisory authority (CNIL) to clarify the definition of a data controller's main establishment under Article 4(16)(a) of the GDPR. Specifically, it aimed to elucidate the relevance of the term "place of central administration" as outlined in Recital 36 of the GDPR.
Key factors in determining main establishment
Article 4(16)(a) of the GDPR defines the main establishment as "the place of its central administration in the Union," with additional criteria regarding (a) decisions on the purposes and means of the processing and (b) power to have such decisions implemented.
As such there are three key factors to consider:
- [it is a] place of its central administration; [where]
- decisions on the purposes and means of the processing; [and]
- has the power to have such decisions implemented
CNIL's questions and EDPB's responses
The CNIL posed two questions to the EDPB, seeking clarification on the qualification of a controller's central administration as the main establishment and the applicability of the one-stop-shop mechanism.
In summary, the Opinion affirmed:
- A controller's central administration in the EU qualifies as the main establishment only if it makes decisions on data processing purposes and means, and has the power to implement these decisions, especially when the controller has establishments in multiple Member States.
- The one-stop-shop mechanism applies only when there is evidence that an EU establishment of the controller makes decisions on processing operations and has the authority to implement them.
Comment
The one-stop shop mechanism and clarification from the Opinion primarily affects international organisations with offices in Europe but decision-making centralised elsewhere, such as in the US. It emphasises the need for these organisations to carefully assess their establishment roles and responsibilities in GDPR compliance efforts. Similarly, UK organisations with offices in Europe but decision-making centralised in the UK will now face the same considerations
The Opinion, therefore, provides essential guidance on interpreting the main establishment concept under the GDPR for international and UK organisation with offices in Europe.
It underscores the importance of evidence-based decision-making and implementation power, placing the burden of proof on data controllers to demonstrate compliance with the one-stop shop mechanism.
This clarification will significantly impact international organisations with operations in the EU and emphasises the need for meticulous assessment of establishment roles and responsibilities in GDPR compliance efforts.