Skip to content
Guidance · EDPB ·042024-on-the-notion-of-main-establishment-of-a EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 04/2024 on the notion of main establishment of a controller in the Union under Art. 4.16(a) GDPR

Summary

Opinion 04/2024 on the notion of main establishment of a controller in the Union under Article 4(16)(a) GDPR Adopted on 13 February 2024 Executive summary The French Supervisory Authority requested the European Data Protection Board to issue an opinion on the notion of main establishment of a controller under Article 4(16)(a) GDPR, and on the criteria for the application of the one-stop-shop mechanism, in particular regarding the notion of controller’s “place of central administration” in the…

How it connects

Full text

Opinion 04/2024 on the notion of main establishment of a controller in the Union under Article 4(16)(a) GDPR Adopted on 13 February 2024 Executive summary The French Supervisory Authority requested the European Data Protection Board to issue an opinion on the notion of main establishment of a controller under Article 4(16)(a) GDPR, and on the criteria for the application of the one-stop-shop mechanism, in particular regarding the notion of controller’s “place of central administration” in the Union. The Board concludes in this opinion that a controller’s “place of central administration” in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented. Furthermore, the Board considers that the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Therefore, when the decisions on the purposes and means and the power to have such decisions implemented are exercised outside of the Union, there should be no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism should not apply. Additionally, the Board clarifies how the supervisory authorities should apply in practice Article 4(16)(a) GDPR to ensure its consistent application. In particular, the Board reiterates that the burden of proof in relation to the place where the relevant processing decisions are taken and where there is the power to implement such decisions in the Union ultimately falls on controllers, and that they have a duty to cooperate with the supervisory authorities. Lastly, the Board clarifies that the supervisory authorities retain the ability to challenge the controller’s claim based on an objective examination of the relevant facts, requesting further information where required. For this examination, the Board recalls the duty of the supervisory authorities to cooperate and that they should therefore jointly agree on the level of detail appropriate, depending on the concrete case. In particular, determining a place of central management in the Union (e.g. regional headquarters) constitutes a starting point helping the supervisory authorities to identify where the decisions on the purposes and means for the processing are possibly taken and the power to have these decisions implemented. However, there will still be the need for the supervisory authorities to assess the place where the decisions on the purposes and means are taken and where there is the power to implement such decisions in the Union before qualifying that establishment (or any other establishment in the Union) as a main establishment. Adopted 2 Adopted 3 The European Data Protection Board Having regard to Article 63 and Article 64(2) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article 10 and Article 22 of its Rules of Procedure, HAS ADOPTED THE FOLLOWING OPINION: 1 INTRODUCTION 1.1 Summary of facts 1. On 10 October 2023, the French Supervisory Authority (hereinafter, the “FR SA”) requested the European Data Protection Board (hereinafter, the “EDPB” or the “Board”) to issue an opinion on the notion of main establishment of a controller under Article 4(16)(a) GDPR and the criteria for the application of the one-stop-shop mechanism. 2. The FR SA specifically highlighted in its request possible different interpretations of the definition of “main establishment” of the controller 2 under Article 4(16)(a) GDPR. In essence, the FR SA asked the Board whether, in order to consider the “place of the central administration” of the controller in the Union as a main establishment under Article 4(16)(a) GDPR, there is a need for the supervisory authorities (hereinafter, “SAs”) to collect evidence that this “place of central administration” (hereinafter, “PoCA”) takes the decisions on the purposes and means of the processing and has the power to have these decisions implemented. 3. The Board considers that, in order to provide a reply to the request by the FR SA, the following questions need to be answered: - Question 1: For a controller’s “place of central administration in the Union” to be qualified as a main establishment under Article 4(16)(a) GDPR, should this establishment take decisions on the purposes and means of the processing and have the power to have them implemented? - Question 2: Does the one-stop-shop mechanism apply only if there is evidence that one of the establishments in the Union of the controller (the controller’s “place of central 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States”. References to the “Union” made throughout this opinion should be understood as references to the “EEA”. 2 Therefore, this opinion does not relate to the application of the notion of main establishment for processors under Article 4(16)(b) GDPR. Adopted 4 administration” or not) takes the decisions on the purposes and means concerning the processing operations in question and has the power to have such decisions implemented? 4. The Chair of the Board and the FR SA considered the file complete on 11 October 2023. On the same date, the file was broadcast by the Secretariat. The Chair, considering the complexity of the matter, decided to extend the deadline in line with Article 64(3) GDPR. 1.2 Admissibility of the request for an Article 64(2) GDPR Opinion 5. Article 64(2) of the GDPR provides that, in particular, any supervisory authority may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion. 6. The Board considers that the request referred by the FR SA relates to the application of the notion of the main establishment of the controller under Article 4(16)(a) GDPR, which has important consequences for the practical application of the one-stop-shop mechanism. Therefore, this request concerns a “matter of general application” within the meaning of Article 64(2) GDPR, as it relates to the consistent interpretation on the boundaries of the competences of SAs to ensure, amongst others, a consistent practice of cooperation among SAs in accordance with Chapter VII, Section 1 GDPR. 7. As part of its request for an opinion, the FR SA has provided, inter alia, scenarios demonstrating possible different interpretations of Article 4(16)(a) GDPR. Therefore, the Board considers that the request by the FR SA is reasoned in line with Article 10(3) of the EDPB Rules of Procedure, as the FR SA has demonstrated the clear need for a consistent interpretation of this provision among SAs. 8. According to Article 64(3) GDPR, the EDPB shall not issue an opinion if it has already issued an opinion on the matter 3 . The EDPB has not yet provided replies to the questions arising from the FR SA’s request. Further, the available EDPB guidelines, including in particular the Guidelines “on identifying a controller or processor’s lead supervisory authority” 4 , do not provide specific guidance on possible elements to be verified for a controller’s PoCA in the Union to be qualified as a main establishment under Article 4(16)(a) GDPR. 9. For these reasons, the Board considers that the FR SA’s request is admissible and the questions arising from the FR SA’s request should be analysed in an opinion adopted pursuant to Article 64(2) GDPR. 3 Article 64(3) GDPR and Article 10(4) of the EDPB Rules of Procedure. 4 EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, adopted on 28 March 2023, available in their latest version at: https://edpb.europa.eu/our-work-tools/our- documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en Adopted 5 2 ON THE MERITS OF THE SPECIFIC REQUEST 10. As a preliminary remark, the Board recalls that before identifying the existence of a main establishment in the Union, it is first necessary to identify the processing 5 that needs to be examined for the purpose of the pursued action, as well as the (joint-)controller(s) for the processing 6 . In addition, it is necessary to assess whether and where this controller has establishments 7 in the Union in the context of the activities of which the processing takes place 8 . The below assessment on the notion of main establishment is based on the assumption that these elements have already been determined, and is without prejudice to other cases where the one-stop-shop mechanism may apply, such as when there is a single establishment in the Union of a controller or processor. 11. The Board also recalls that the GDPR does not permit “forum shopping” in the identification of the main establishment 9 . According to Recital 36, the determination of the main establishment should be based on objective criteria and thus cannot be based on a subjective designation. 2.1 On the interpretation of Article 4(16)(a) GDPR 12. The first question referred to the Board concerns whether in order for a controller’s “place of central administration in the Union” (hereinafter, “PoCA”) to be qualified as a main establishment under Article 4(16)(a) GDPR, this establishment should take decisions on the purposes and means of the processing and have the power to have them implemented. 13. As a preliminary matter, it should be recalled that, according to settled case-law of the CJEU, it is necessary, when interpreting a provision of EU law, to consider not only its wording but also its context and the objectives of the legislation of which it forms part 10 . 14. Considering the literal reading of the legal provision , the Board observes that Article 4(16)(a) GDPR falls into three parts. There is first the condition that a controller should have establishments in more than one Member State in the Union (first part). In addition, should this condition be met, the second and third parts provide for two possibilities in which one of these establishments can qualify as the 5 Article 4(2) GDPR. 6 Article 4(7) GDPR. 7 According to Recital 22 GDPR, “ [e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect .” On the notion of establishment, see also Judgment of 1 October 2015, Weltimmo, C-230/14, ECLI:EU:C:2015:639, paragraphs 29-30, Judgment of 28 July 2016, Verein für Konsumenteninformation , C-191/15, ECLI:EU:C:2016:612, paragraph 76. 8 Article 4(23) GDPR. As regards the notion of “ processing in the context of the activities of an establishment” , see also Judgment of 13 May 2014, Google Spain and Google , C-131/12, ECLI:EU:C:2014:317, paragraph 52; Judgment of 1 October 2015, Weltimmo, C-230/14, ECLI:EU:C:2015:639, paragraph 35. 9 EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, paragraphs 37, 38. 10 See Judgment of 22 June 2022, Leistritz , C ‑ 534/20, ECLI:EU:C:2022:495, paragraph 18 and the case-law cited therein. Adopted 6 controller’s main establishment. This is the case when the establishment corresponds to the controller’s “ place of [...] central administration in the Union” (second part), unless “ another establishment of the controller in the Union” takes “the decisions on the purposes and means of the processing of personal data’’ and ‘’has the power to have such decisions implemented” (third part) . 15. With regard the first part of this provision, it should be noted that the assessment made under Article 4(16)(a) GDPR specifically concerns establishments in the Union of a controller , and thereby of the body, which determines “ the purposes and means of the processing of personal data” 11 . 16. With regard the second part of this provision, the Board first notes that, while the notion of PoCA is employed in other instances in the GDPR 12 , this Regulation does not provide any definition of the controller’s PoCA under Article 4(16)(a) GDPR, nor does it refer to a specific provision for the purpose of determining its meaning within the GDPR. Therefore, in the absence of specific guidance, other sources of EU law should be taken into consideration when interpreting this term 13 . 17. In this regard, it is to be noted that the notion of PoCA is used in the context of freedom of establishment for companies or firms under Article 54 of the Treaty on the Functioning of the European Union (hereinafter, “TFEU”) 14 , and is a well-established notion in the context of civil and commercial law 15 . In particular, when interpreting Article 54 TFEU, the PoCA of a company has been regarded by the Court as corresponding to the “real seat” of this company 16 i.e. its real head office from where the central management and control are exercised 17 . A similar interpretation of the notion of PoCA can also be found in other areas of EU law 18 . It follows from the foregoing that a company’s 11 Article 4(7) GDPR. 12 See Article 4(16)(b) GDPR and Recital 36 GDPR. 13 See, inter alia, Judgment of 18 May 2017, Hummel Holding , C-617/15, ECLI:EU:C:2017:390, paragraph 22 and case law cited therein. 14 Under Article 54 TFEU “ companies or firms formed in accordance with the law of a Member State and having their registered office, central administration or principal place of business within the Union” enjoy the freedom of establishment in the same way as EU nationals. 15 See e.g. Article 19(1) of Rome I Regulation (EC) 593/2008; Article 60(1)(b) of Brussels Regulation (EC) 44/2001, Article 63(1)(b) of Brussels I Regulation (EU) 1215/2012. 16 See Judgment of 27 September 1988, The Queen v H. M. Treasury and Commissioners of Inland Revenue, ex parte Daily Mail and General Trust plc. , Case C-81/87, EU:C:1988:456, paragraphs 21-25 and Judgment of 16 December 2008, Cartesio Oktató és Szolgáltató bt , Case C-210/06, EU:C:2008:723, paragraph 105. 17 See Judgment of 27 September 1988, The Queen v H. M. Treasury and Commissioners of Inland Revenue, ex parte Daily Mail and General Trust plc. , Case C-81/87, EU:C:1988:456, paragraphs 20-25, where the terms “ real head office” and “ central management and control” seems to be used synonymously to refer to the “place of central administration”. See also, in this regard: Regulation (EC) No 2157/2001, in which the term “head office” in the English version is translated as “Hauptverwaltung”, "administración central" or “administration centrale” in the German, Spanish and French versions of this legislative text. 18 See e.g. Recital 114 of Directive NIS 2 Directive (EU) 2022/2555, referring to the place “ where the decisions related to the cybersecurity risk-management measures are predominantly taken in the Union”; Recital 41 of Data Governance Act (EU) 2022/868, Recital 41, where the main establishment should correspond to the central administration of a data intermediation services provider in the Union and “ imply the effective and real exercise of management activities” ; Recital 123 of Digital Services Act (EU) 2022/2065, referring in the context of the Adopted 7 central administration is commonly understood as the place where the most important decisions for this company are taken 19 20 . 18. In addition, the third part of Article 4(16)(a) GDPR, addresses situations in which decisions in relation to the processing are taken at “ another establishment of the controller in the Union ”, i.e. an establishment different from the controller's PoCA. In particular, the use of the word “ another” makes it clear that the approach taken in the GDPR assumes that the central administration in the Union corresponds, in the first instance, to the place where, in general, decisions regarding the purposes and means of personal data processing are taken and that this central administration has the power to have them implemented. Therefore, the term “unless” in Article 4(16)(a) GDPR should be interpreted as a condition to be assessed by the controller, and is subject to the review of the SA(s), before determining the main establishment, as in case these decisions are taken in another establishment of the controller in the Union which has the power to have them implemented, this other establishment of the controller will instead be considered as the main establishment. 19. The Board notes that the above reading of Article 4(16)(a) GDPR is supported by Recital 36 GDPR according to which the main establishment of a controller should “ imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” . 20. Therefore, Article 4(16)(a) GDPR as informed by Recital 36, lends support to the interpretation that a controller’s PoCA in the Union should be considered the controller's main establishment only if it takes the decisions on the means and purposes of the processing and has the power to have such decisions implemented. 21. That interpretation is, in addition, supported by the context in which Article 4(16)(a) GDPR appears . 22. Firstly, the Board notes that the initial proposal by the European Commission explicitly provided for the possibility for a controller to have a main establishment even “ if no decisions as to the purposes, main establishment under this Regulation to the place where the “ head office or registered office within which the principal financial functions and operational control are exercised” (emphasis added). The link to the PoCA is even clearer in the French and German version. 19 See also, AG Opinion delivered on 7 June 1988, The Queen v H. M. Treasury and Commissioners of Inland Revenue, ex parte Daily Mail and General Trust plc. , Case C-81/87, EU:C:1988:286, paragraph 4, in which it is referred to the fact that the place “ where the central management and control are exercised ” is generally understood as the place “where the company organs take the decisions that are essential for the company’s operation” ; AG Opinion delivered on 4 December 2001, Überseering BV v Nordic Construction Company Baumanagement GmbH (NCC) , Case C-208/00, EU:C:2001:655, footnote 4. 20 International conventions to which the EU is a party make as well use of the concept of PoCA, qualifying it similarly as the place where the most important decisions concerning the operation of the entity are taken. See, for instance: explanatory report of the Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, paragraph 107 and explanatory report of the Convention of 30 June 2005 on Choice of Court Agreements, paragraph 120. Adopted 8 conditions and means of the processing of personal data are taken in the Union” 21 . However, this part of the provision was removed during the legislative process without a replacement. The evolution of this provision during the legislative process indicates that the legislator intended to limit the application of the benefit of the one-stop-shop mechanism to controllers who take the decisions on the purposes and means of the processing in the Union and have the power to have such decisions implemented . 23. Secondly, the Board notes the changes made to this provision by the Council, which introduced the notion of controller’s PoCA with the intention to provide “more objective and transparent criteria” for determining the main establishment of the controller 22 . This criterion, therefore, seems to have been included as a starting point to help SAs identifying the controller’s main establishment where the decisions are taken. However, it does not seem to have been intended as a mean to broadening the scope of the notion of main establishment under Article 4(16)(a) GDPR (and thereby the application of the one-stop-shop mechanism) by extending it to include cases where decision-making power does not lie with the main establishment 23 . 24. That interpretation is also supported by the general objective of the one-stop-shop mechanism , which was primarily intended to reduce legal uncertainty for controllers and the fragmentation of the application of the GDPR in the Union 24 . To that end, this mechanism enables a controller (or processor) operating in several Member States to benefit from a single point of contact, the Lead Supervisory Authority (hereinafter, “LSA”), for its cross-border activities affecting several Member States. Instead of the controller having to engage with several local supervisory authorities, it only needs to engage with the LSA, which will closely cooperate with the supervisory authorities concerned, in accordance with inter alia the procedure under Article 60 GDPR. 25. In this context, the definition of “main establishment" in Article 4(16)(a) GDPR, read in conjunction with Article 56(1) GDPR, is precisely intended to determine which of the SA should act as LSA, which includes being the sole interlocutor of the controller for the cross-border processing carried out by that controller. 21 See Article 4(13) of the Commission proposal for a General Data Protection Regulation, 2012/0011/COD. The final wording referring to central administration, following the changes introduced by the Council, is in contrast to the original Commission proposal which states that ‘main establishment’ “ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken ”. A second part of the sentence in the Commission’s proposal, providing for a main establishment “ if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union” was deleted. 22 See, inter alia: https://data.consilium.europa.eu/doc/document/ST-7105-2013-REV-6/en/pdf (p. 32). 23 In this regard, it is interesting to note that although several Member States expressed, during the legislative process, a preference for having a more formal criterion by referring to the incorporation of the controller, the notion of PoCA was specifically chosen by the Council. See, for example: https://data.consilium.europa.eu/doc/document/ST-11028-2014-INIT/en/pdf (p. 77, footnote 54) 24 AG Opinion delivered on 13 January 2021, Facebook Ireland e.a., C ‑ 645/19, ECLI:EU:C:2021:5, paragraphs 75- 80. Adopted 9 26. According to the Board, the role and tasks entrusted to the LSA ‘’as more of primus inter pares than the sole enforcer of the GDPR in cross-border situation” 25 presuppose the proximity of this SA (in contrast to the other Concerned Supervisory Authorities or “CSAs”) to the controller’s establishment exercising a real and effective influence on the processing in question 26 , i.e., in the case of the controller, the specific establishment with decision-making power over the processing. This division of competences between the LSA and the other CSA(s), which requires the LSA to be the sole interlocutor of the controller for the cross-border processing in question 27 , including, if necessary, by carrying out investigations in its main establishment 28 , is primarily justified by the LSA's proximity to that establishment, which is best placed to provide answers relating to the processing carried out. This proximity also guarantees that the LSA can issue its decision 29 , including, if necessary, corrective measures under Article 58 GDPR, directly to the establishment that can decide to make the changes necessary to bring the processing into compliance and has the power to have these changes implemented. 27. In light of the foregoing, regarding the first question, the EDPB concludes that a controller’s PoCA in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented. 28. This leads to the second question referred to the Board, on whether the one-stop-shop can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing and has the power to have them implemented. 29. In this respect, it follows from the response to the first question that a controller’s PoCA in the Union can qualify as a main establishment only if it takes the decisions on the purposes and means of the processing and has the power to have these decisions implemented. In addition, the second part of Article 4(16)(a) GDPR is only applicable if the other entity taking the decisions on the purposes and means of the processing and having the power to have such decisions implemented is an establishment of the controller located in the Union . 30. Accordingly, the Board takes the view that when there is no evidence that decision-making power on the purposes and means for a specific processing (as well as the power to have these decisions implemented) lies with the PoCA in the Union or with “another establishment of the controller in the 25 See also, AG Opinion delivered on 13 January 2021, Facebook Ireland e.a , Case C-645/19, EU:C:2021:5, paragraph 111. 26 This principle of proximity is supported by the exception provided under Article 56(2) GDPR which gives the LSA the possibility to request another CSA to deal with cases relating only to an establishment in the Member State or substantially affecting data subjects in the Member State of that other CSA. 27 Article 56(6) GDPR. 28 See, in this regard, Article 60(3) GDPR: the swift possibility to conduct an investigation is necessary for the LSA to fulfil its obligations to submit a draft decision without delay. 29 This national decision is implementing the result of the work of all CSAs under the cooperation procedure. Adopted 10 Union”, i.e. if it lies outside the Union, there is no main establishment under Article 4(16)(a) GDPR for that processing. Therefore, in that case, the one-stop-shop mechanism should not apply 30 . 2.2 On the practical considerations for the identification of a “main establishment” in the Union under Article 4(16)(a) of the GDPR 31. While the above section answers the legal questions raised in abstract, it remains useful to clarify how the supervisory authorities should apply in practice Article 4(16)(a) GDPR to ensure its uniform application. As mentioned in paragraph 10 above, the scope of this opinion concerns the case related to a main establishment under Article 4(16)(a) GDPR, without prejudice to other cases where the one- stop-shop mechanism may apply. 32. In this regard, the Board first reiterates that the burden of proof in relation to the place where the relevant processing decisions are taken and where there is the power to implement such decisions in the Union ultimately falls on controllers 31 . Based on the principle of accountability and their duty to cooperate with SAs under Article 31 GDPR, controllers intending to indicate their main establishment under Article 4(16)(a) GDPR to the authorities should therefore specify whether a certain establishment constitutes the controller’s PoCA in the Union taking decisions on the purposes and means of processing and having the power to have those decisions implemented or whether this applies to another establishment in the Union of the controller, in which case the latter should be considered the main establishment instead 32 . In this context, various elements such as the effective records of processing activities under Article 30 GDPR, the privacy policy may constitute relevant elements to conduct the assessment 33 allowing the controller to demonstrate its claim 34 . 33. However, the Board recalls that these claims of the controller are subject to review by national SAs. In other words, the competent SAs retain the ability to challenge (and disagree with) the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required 35 36 . In this context, the SAs may use their powers under Article 58(1)(a) GDPR to contact a 30 This is without prejudice to other cases where the one-stop-shop mechanism may apply, such as a single establishment of a controller or processor. 31 See EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, paragraphs 24 and 37; EDPB Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, paragraph 26. 32 See EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, paragraph 21. 33 EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, paragraph 37. 34 See also EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, paragraph 25. 35 See EDPB Guidelines 8/2022, on identifying a controller or processor’s lead supervisory authority, paragraph 37. 36 Further it should be noted that, based on Article 55(1) GDPR, read in conjunction with Article 56(1) GDPR, any SA retains the ability to request information from the controller if the issue does not concern cross-border processing or it is not yet established that cross-border processing takes place. Adopted 11 relevant establishment of the controller, or, as necessary, rely on mutual assistance under Article 61 GDPR to obtain the necessary information with the assistance from another SA 37 . 34. As indicated in the previous section, determining a place of central management in the Union (e.g. regional headquarters) is a starting point helping the SAs to identify where decisions on the purposes and means for the processing are possibly taken and where there is the power to implement such decisions in the Union. However, in case it is demonstrated that the controller has a PoCA in the Union, there will still be the need for the SAs to assess the place where decisions on the purposes and means are taken for the specific processing and where there is the power to have these decisions implemented, including regarding the “unless” clause. The SAs should jointly agree on the level of detail appropriate for this assessment depending on the concrete case. 35. When the SAs conclude that the controller has provided sufficient or insufficient information to ascertain the existence of a main establishment as per Art 4(16)(a) GDPR, this assessment and conclusion should be shared with all the other CSAs in the spirit of Article 60(1) GDPR and to ensure that there is an early agreement on the subject matter 38 . If the controller provided sufficient information and its claim relating to the identification of the main establishment was confirmed by the CSAs, the established LSA might inform this main establishment of the conclusions reached 39 . However, in the case where the claim was rebutted by the CSAs 40 , the SA in charge of collecting evidence should contact the relevant establishment and inform it of this conclusion. It should further inform that establishment of the practical consequences, including in case no LSA has been confirmed, that the one-stop-shop does not apply and that therefore any SA remains competent to take individual action, as appropriate. 36. Lastly, in case there is no consensus on the conclusions reached by the CSAs, despite further exchanges in the spirit of cooperation, the SAs may refer the matter to the Board under Article 63 GDPR. This may be done in cases of conflicting views on which of the CSAs is competent for the main establishment via the procedure under Article 65(1)(b) GDPR or, in case the disagreement stems from different interpretations of an abstract underlying legal question, via the procedure under Article 64(2) GDPR. 3 CONCLUSIONS 37. On the basis of the request for an opinion from the FR SA and on the basis of the analysis above, the Board concludes in respect of the interpretation of Article 4(16)(a) GDPR that: 37 See in this regard, Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, adopted on 15 December 2020. 38 A dedicate flow in the Internal Market Information (IT) system used by the data protection authorities to cooperate under GDPR has been created for this purpose. 39 This does not preclude any follow up communication by the SA(s) originally investigating the controller, if different than the confirmed LSA. 40 This could be either because the CSAs concluded that there is no main establishment or that another establishment in the Union has this role. Adopted 12 1) a controller’s “place of central administration” in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented. 2) the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have such decisions implemented. For the European Data Protection Board The Chair (Anu Talus)

Similar Content