Background

The French data protection authority (CNIL) requested the EDPB issue an opinion on the notion of the main establishment of a controller under Article 4(16)(a) of the GDPR and the criteria for the application of the one-stop-shop mechanism. CNIL sought clarification on the interpretation of the 'main establishment' of a data controller, specifically questioning whether, in order to consider the 'place of the central administration' in the EU as a main establishment, there is a need for the supervisory authorities to collect evidence that this 'place of central administration' makes decisions on the purposes and means of the processing and has the power to have these decisions implemented.

In light of the above, the EDPB confirmed that it considered two questions:

1. For a controller's place of central administration in the EU to be qualified as a main establishment under Article 4(16)(a) of the GDPR, should this establishment take decisions on the purposes and means of the processing and have the power to have them implemented?
2. Does the one-stop-shop mechanism apply only if there is evidence that one of the establishments in the EU of the controller (the controller's 'place of central administration' or not) takes the decisions on the purposes and means concerning the processing operations in question and has the power to have such decisions implemented?

Philip and Anna discussed the importance, noting that "identification of the main establishment is important to organisations that undertake cross-border processing of personal data within the EEA. It allows them to determine which supervisory authority they have to deal with in relation to cross-border processing […]"

Interpretation of Article 4(16)(a) of the GDPR

Regarding the first question, the Opinion highlights that Article 4(16)(a) of the GDPR falls into three parts. Firstly, that a controller should have establishments in more than one Member State in the EU. Where this condition is met, parts two and three provide two possibilities in which one of these establishments can qualify as the controller's main establishment. Parts two and three apply when the establishment corresponds to the controller's 'place of [...] central administration in the Union,' or unless 'another establishment of the controller in the Union' takes 'the decisions on the purposes and means of the processing of personal data' and 'has the power to have such decisions implemented.' Importantly, the Opinion clarifies that the assessment made under Article 4(16)(a) of the GDPR specifically concerns establishments in the EU of a controller, and thereby of the body, which determines 'the purposes and means of the processing of personal data.'

In relation to the 'place of central administration' under Article 4(16)(a) of the GDPR, the Opinion highlights the absence of a defined term within the GDPR itself, detailing that based on court judgments and other areas of EU law, a company's central administration is commonly understood as the place where the most important decisions for this company are taken. In part three, the Opinion explains that the GDPR assumes the central administration, in the first instance, is where decisions regarding the purposes and means of personal data processing are taken and that this central administration has the power to have them implemented. Therefore, the 'unless' condition in Article 4(16)(a) of the GDPR is to be assessed by the controller, subject to supervisory authority review, before determining the main establishment. Where decisions are taken in another establishment of the controller in the EU which also has the power to have them implemented, the other establishment of the controller will instead be considered as the main establishment.

To this end, the Opinion concludes that a controller's place of central administration in the EU can be considered as a main establishment only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to have these decisions implemented.

On this point, Philip and Anna highlight that "[…] Controllers operating in the EEA, and having more than one establishment, may need to re-assess whether any of them meets the criteria and, if so, which one. 'For some organisations this may mean that their lead supervisory authority (LSA) in the EEA will be in a different EEA member state than previously determined.' Organisations that take the relevant decisions and hold the relevant power outside the EEA may lose the benefit of the one-stop-shop mechanism altogether, even if their place of central administration is in the EEA. This means that any concerned supervisory authority in the EEA will remain competent to take individual action against the controller in the EEA as appropriate. The Opinion does not affect the identification of a main establishment by processors."

Evidence of decision-making power

With regard to question two, the Opinion emphasizes that in the absence of evidence indicating that decision-making power on the purposes and means of processing as well as the power to implement these decisions lies with the 'place of central administration in the Union' or with 'another establishment of the controller in the Union,' there is 'no main establishment' for that processing. Therefore, in that case, the one-stop-shop mechanism should not apply.

Practical considerations

Importantly, the Opinion reiterates that the controller bears the burden of proof concerning the place where the relevant processing decisions are taken and implemented. When making this assessment, the Opinion outlines elements that can support such assessments, including processing records and privacy policies.

Expanding on this, Philip and Anna detailed that,"[…] The Opinion reminds controllers that 'forum shopping' is not permitted. Their analysis must be objective and based on verifiable facts. The burden of proof is on the controller and their assessment can be challenged by supervisory authorities. 'Therefore, controllers should reassess their current determination, including identifying and documenting (any assessment which is insufficiently documented will only be worth the paper, and assessment quality, it is written on…)': the relevant processing; the controller(s); whether and where the controller(s) have establishments in the EEA; and which of those establishments takes decisions on the purposes and means of the relevant processing and have the power to have them implemented. This should be supported by justifications based on objective evidence (e.g. privacy policies, records of processing activities). The Opinion should be read alongside EDPB Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority adopted on 28 March 2023, which provides details of factors to be taken into account when undertaking this analysis (e.g. no. of employees and revenue in specific territories etc., for instance).

In this context, it is worth reiterating the fundamentals of whether an entity is a controller (as set out in the earlier EDPB Opinion on this topic), namely:

• Both the purposes and means of the processing of personal data – in other words, why and how the processing is carried out.
• If an entity only determines only the means or the purpose, this will be insufficient to qualify as a controller.
• A degree of discretion can be given to the processor to make some decisions in relation to the processing. However, the controller must determine the essential means of the processing, which is closely aligned with purpose.
• Only decisions on non-essential means of the processing can be left to the processor, i.e. more practical aspects of the processing such as the hardware, software, and security measures to be used.
• The controller does not need to have access to data to qualify as a controller.
• The role of a controller should be interpreted broadly so as to favours protection of data subjects.
• The same entity may act as controller for certain processing, and as processor for others – as such, the assessment must be made for each specific processing activity."

Reviews by the supervisory authority

The Opinion highlights that the assessments of the controller are subject to review by national supervisory authority, including the ability to challenge (and disagree with) the controller's analysis based on an objective examination of the relevant facts. In addition, the national supervisory authority can request further information where required and may contact the relevant establishment of the controller.

Once the supervisory authority has determined that a controller has provided sufficient or insufficient information to establish a main establishment, this assessment will be shared with all other concerned supervisory authorities. Where the controller's claim is confirmed by concerned supervisory authorities, the established lead supervisory authority may inform the main establishment. However, if the claim is rebutted by the concerned supervisory authorities, the supervisory authority in charge of evidence collection should contact the relevant establishment and inform it of this conclusion and the practical consequences. In cases where there is no consensus on the conclusions reached by the concerned supervisory authorities, the supervisory authorities may refer the matter to the EDPB. This may be done in cases of conflicting views on which of the concerned supervisory authorities is competent for the main establishment or in case the disagreement stems from different interpretations of an abstract underlying legal question.

Conclusion

Philip and Anna concluded that "whilst the One Stop Shop seeks to provide true harmonisation and simplicity, it is still somewhat fraught with uncertainty and some challenges (e.g. that there may be a different analysis for each category and type of processing activity) – and, even then, a consumer or data subject still has the right to bring a complaint in his/her local territory, regardless of the LSA.

In the context of data breaches and resulting notifications to SAs, the concept of a One Stop Shop provides some considerable comfort (at least at a first look). In reality, in the context of a real time security incident, organisations may not have carried out a formal, documented LSA assessment and – even if they have – there is always the risk that only notifying in the designated LSA territory could be open to challenge (either by an affected individual or another regulator). So, in practice, organisations may be faced with the dilemma as to whether or not to rely on the pure One Stop Shop mechanism when notifying in multi-jurisdiction incidents.

In addition, organisations also need to be wary of 'cherry picking' what they perceive, rightly or wrongly, to be either a more liberal authority or a jurisdiction in which class action threats may be more realistic. Similarly, what governing law and jurisdiction has been selected on EU standard contractual clauses or model terms will have a significant bearing on choice of LSA and may need to be updated or re-assessed in the light of the Opinion."

Bahar Toto Privacy Analyst
[email protected]

With comments provided by:
Philip James Partner
[email protected]
Anna Allen Senior Associate
[email protected]
Eversheds Sutherland's Global Privacy & Cybersecurity Group, London