iOn February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in the EU.
The EDPB concluded that (1) the controller’s place of central administration in the EU can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to implement these decisions; and (2) the “one-stop shop” mechanism can only apply if there is evidence that one of the establishments of the controller in the EU takes the decisions on the purposes and means of the relevant processing operations and has the power to implement these decisions. If the decisions on the purposes and means and the power are exercised outside the EU, there should be no main establishment under Article 4 (16)(a) GDPR and the “one-stop shop” mechanism cannot apply.
Background
The “one-stop shop” is a mechanism for organizations that are engaged in cross-border EU data processing, allowing them to deal with a single lead supervisory authority (LSA) for their data protection compliance obligations. Under GDPR, the supervisory authority (SA) of the EU member state where that organization’s main EU establishment is located would often be its LSA. The LSA acts as a single point of contact for, and cooperates with, other SAs in relation to cross-border data processing activities.
This mechanism intends to enhance consistency and uniformity in the application of data protection legislation and increase legal certainty. It also aims to facilitate central enforcement by a single decision of one LSA, as well as to reduce the administrative burden for controllers and processors, as they can navigate regulatory requirements more easily with this centralized point of contact.
The EDPB reiterates that GDPR does not permit “forum shopping” in the identification of the main establishment, as it must be determined by objective criteria. Therefore, before assessing who is the LSA of an organization, first it must be objectively concluded where its main establishment is.
Main Findings
Concerning the determination of the main establishment, the EDPB has indicated that, where an organization has several establishments in the EU, the main one will be the organization’s PoCA. That also implies that the establishment must be the one that takes the decisions on the purposes and means of the processing of personal data and that has the power to effectively implement these decisions.
With respect to the “one-stop shop” mechanism, the EDPB considers that it can only apply if there is evidence that it is the controller’s main establishment in the EU who takes the decisions on the purposes and means of the relevant processing and has the power to implement these decisions.
The EDPB’s opinion concludes that when decisions and the power are exercised outside the EU, there is no main establishment and, therefore, the “one-stop shop” mechanism cannot apply.
The EDPB’s opinion confirms that the burden of proof lies on controllers, as they have a duty to cooperate with the SAs. In this context, various elements such as recording processing activities and privacy policies are suggested by the data protection body – but as importantly is the ability to demonstrate that one has the actual power to control implementation of decisions taken. Compliance cannot be a paper trail.
Why Is This important?
The EDPB’s recent opinion implies that non-EU organizations with cross-border operations in several EU countries that cannot have a main establishment in the EU (i.e., their decisions are being taken outside of the EU/they do not have the powers to implement decisions) will not be able to benefit from the “one-stop shop” mechanism.
The lack of a “one-stop shop” poses significant challenges for those organizations: without a central point of contact, it may be difficult for them to navigate the various regulatory requirements across the EU member states. This could result in increased bureaucracy and higher compliance costs, and issues might be amplified in a crisis scenario such as a cyber incident, where timing is critical. Moreover, the affected entities might suffer from a lack of consistency in the application and enforcement of the rules. This could create legal uncertainty and might diminish their ability to execute their cross-border activities, having to interpret and comply with different requirements across multiple jurisdictions.
As determined by the EDPB, it is not enough with a company appointing an LSA, but SAs retain the ability to challenge the controller’s claim, requesting further information based on an objective examination of the relevant facts. In that sense, organizations claiming an SA as their LSA must have evidence to prove that, indeed, the PoCA is the one taking the decisions on the purposes and means of the processing and with the actual power to implement these decisions. Substance is key, also in privacy.
