On 13 February 2024, further to a request from the French Supervisory Authority, the European Data Protection Board (EDPB) adopted its Opinion 04/2024 (Opinion) on the notion of the main establishment of a controller in the European Union (EU) under Article 4(16)(a) of the General Data Protection Regulation (GDPR), and on the criteria for the application of the “One-Stop-Shop” (OSS) mechanism concerning a controller’s “place of central administration” in the EU.
Main Establishment and the One-Stop-Shop Mechanism
A key hallmark of the GDPR is the OSS consistency mechanism, which aims to simplify the supervision and enforcement of the GDPR within the EU.
The OSS allows organisations operating in multiple EU Member States to be under the auspices of a single supervisory authority based in the Member State of the organisation’s main establishment, known as the organisation’s Lead Supervisory Authority (LSA).
Without having a LSA under the OSS a non-EU headquartered organisation could be within the remit of multiple, separate, data protection supervisory authorities across the entire EU.
While the EDPB has previously looked at the issue of identifying a controller’s / processor’s LSA (see Opinion 8/2022) in a more general approach, the EDPB believed that this previous opinion did not properly address the French Supervisory Authority’s question, which was: what criteria must be assessed to identify a controller’s “place of central administration.”
The EDPB concluded that for a controller’s “place of central administration” in the EU to be considered a main establishment under GDPR, it must make decisions on the purposes and means of the processing of personal data and have the power to have these decisions implemented.
As such, if the decisions on the purposes and means of processing, and the power to have such decisions implemented, are taken and exercised outside of the EU then the organisation’s “place of central administration” cannot be used as a mechanism for main establishment under GDPR. As a result, the OSS mechanism would not apply.
Burden of Proof
The EDPB reiterates that the burden of proof in proving that the “place of central administration” is the location where the decisions on the purposes and means of processing are taken (along with the power to implement same) rests on controllers and that controllers must cooperate with the supervisory authorities. The supervisory authorities can challenge the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.
The Opinion specifically warns that GDPR does not permit “forum shopping” in the identification of the main establishment. According to Recital 36 of the GDPR, the determination of the main establishment should be based on objective criteria and thus cannot be based on a subjective designation.
Potential Consequences for Multi-national Companies
The EDPB has heightened its focus on prompting supervisory authorities to scrutinise whether multinational companies headquartered in the EU, have adequate substance in terms of decision-making related to their processing operations and the authority to execute those decisions.
The Opinion may make it more challenging for organisations to assert that they possess a main establishment within the EU, as to claim a LSA, solely based on the existence of a subsidiary (even if it is a regional headquarters) within the EU. As a result, controllers should expect more attention to be paid to this area in the future and ensure a documented assessment is completed (and maintained) to demonstrate the objective reasons for a certain Member State being the “place of central administration” and, in turn, the location of their LSA.
For further updates, advice and insights on cross-border enforcement of data protection laws, please contact John O’Connor, Rachel Hayes or your usual William Fry contact.
Contributed by Conor Forde & Rebecca McNamee