EDPB Provides Guidance On Determining A 'Main Establishment' And The 'One-Stop-Shop' Mechanism

Mayer Brown

[co-author: Oli Jones]*

The opinion was issued in response to a request by the French Data Protection Authority and provides guidance on the conditions for determining a controller's main establishment where that controller has establishments in more than one EU Member State, and the application of the one-stop-shop mechanism which enables an organisation engaged in cross-border processing to deal with a lead supervisory authority ("LSA").

Identifying the main establishment

The opinion concludes that a controller's "place of central administration" in the EU will be its main establishment under Article 4(16)(a) GDPR if two conditions are met:

  1. it takes the decisions on the purposes and means of the processing of personal data and;
  2. it has the power to have such decisions implemented.

The burden of proof falls on controllers to demonstrate that they have met these criteria and they have a duty to cooperate with the SAs with respect to the making of this assessment. Controllers intending to specify their main establishment can evidence this with various material, such as the effective records of processing activities under Article 30 GDPR, or the organisation's privacy policy. The opinion reaffirms that the determination should be based on objective criteria rather than a subjective designation.

Claims of the controller are subject to review by national SAs who can use their powers under Article 58(1)(a) GDPR to contact a relevant establishment of the controller or rely on assistance from another SA to obtain necessary information under Article 61 GDPR. SAs are also under a duty to cooperate and should jointly agree on the level of detail appropriate when making their assessment, depending on the specific circumstances.

Where a claim is rebutted, the SA in charge of collecting evidence should contact the relevant establishment of the organisation and inform them of its conclusion.

One-stop-shop mechanism

The LSA must be the SA of the European Union Member State where the organisation's main establishment is located. The opinion explains that the one-stop-shop mechanism can only apply if there is evidence that one of the controller's establishments in the EU meets the two main establishment conditions listed above.

Consequently, the mechanism cannot apply where processing decisions are made outside of the EU. Equally, the mechanism cannot apply where EU establishments do not take decisions on the purposes and means of processing, or do not have the power to implement those decisions.

If the one-stop-shop mechanism does not apply, national SAs remain competent to take individual action, as appropriate. So it is very important that organisations take action to assess and determine in which country (if any) they may have their main establishment for the purposes of the GDPR so that the relevant LSA can be designated in its GDPR compliance documentation to support any claim that might have to be made at a later date that it only has to notify one SA (the LSA) of critical events from a GDPR compliance perspective, such as personal data breaches. Otherwise organisations risk being in a position where they are forced to communicate individually with SAs in up to twenty-seven countries at the same time as responding to a crisis scenario such as a cyber incident.

*Trainee Solicitor

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mayer Brown | Attorney Advertising

Written by:

Mayer Brown

Mayer Brown on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide