Adopted on 13 February 2024 [Access official publication on EDPB website]

Executive summary

The French Supervisory Authority requested the European Data Protection Board to issue an opinion on the notion of main establishment of a controller under Article 4(16)(a) GDPR, and on the criteria for the application of the one-stop-shop mechanism, in particular regarding the notion of controller’s “place of central administration” in the Union.

The Board concludes in this opinion that a controller’s “place of central administration” in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented.

Furthermore, the Board considers that the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. Therefore, when the decisions on the purposes and means and the power to have such decisions implemented are exercised outside of the Union, there should be no main establishment under Article 4(16)(a) GDPR, and the one-stop-shop mechanism should not apply.

Additionally, the Board clarifies how the supervisory authorities should apply in practice Article 4(16)(a) GDPR to ensure its consistent application. In particular, the Board reiterates that the burden of proof in relation to the place where the relevant processing decisions are taken and where there is the power to implement such decisions in the Union ultimately falls on controllers, and that they have a duty to cooperate with the supervisory authorities.

Lastly, the Board clarifiesthat the supervisory authoritiesretain the ability to challenge the controller’s claim based on an objective examination of the relevant facts, requesting further information where required. For this examination, the Board recalls the duty of the supervisory authorities to cooperate and that they should therefore jointly agree on the level of detail appropriate, depending on the concrete case. In particular, determining a place of central management in the Union (e.g. regional headquarters) constitutes a starting point helping the supervisory authorities to identify where the decisions on the purposes and means for the processing are possibly taken and the power to have these decisions implemented. However, there will still be the need for the supervisory authorities to assess the place where the decisions on the purposes and means are taken and where there is the power to implement such decisions in the Union before qualifying that establishment (or any other establishment in the Union) as a main establishment

The European Data Protection Board

Having regard to Article 63 and Article 64(2) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

Having regard to Article 10 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING OPINION:

1 INTRODUCTION

1.1 Summary of facts

  1. On 10 October 2023, the French Supervisory Authority (hereinafter, the “FR SA”) requested the European Data Protection Board (hereinafter, the “EDPB” or the “Board”) to issue an opinion on the notion of main establishment of a controller under Article 4(16)(a) GDPR and the criteria for the application of the one-stop-shop mechanism.
  2. The FR SA specifically highlighted in its request possible different interpretations of the definition of “main establishment” of the controller under Article 4(16)(a) GDPR. In essence, the FR SA asked the Board whether, in order to consider the “place of the central administration” of the controller in the Union as a main establishment under Article 4(16)(a) GDPR, there is a need for the supervisory authorities (hereinafter, “SAs”) to collect evidence that this “place of central administration” (hereinafter, “PoCA”) takes the decisions on the purposes and means of the processing and has the power to have these decisions implemented.
  3. The Board considers that, in order to provide a reply to the request by the FR SA, the following questions need to be answered:

  1. The Chair of the Board and the FR SA considered the file complete on 11 October 2023. On the same date, the file was broadcast by the Secretariat. The Chair, considering the complexity of the matter, decided to extend the deadline in line with Article 64(3) GDPR.

    1.2 Admissibility of the request for an Article 64(2) GDPR Opinion

  2. Article 64(2) of the GDPR provides that, in particular, any supervisory authority may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion.

  3. The Board considers that the request referred by the FR SA relates to the application of the notion of the main establishment of the controller under Article 4(16)(a) GDPR, which has important consequences for the practical application of the one-stop-shop mechanism. Therefore, this request concerns a “matter of general application” within the meaning of Article 64(2) GDPR, as it relates to the consistent interpretation on the boundaries of the competences of SAs to ensure, amongst others, a consistent practice of cooperation among SAs in accordance with Chapter VII, Section 1 GDPR.