The European Union General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the scope of the regulation.
To help address this confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What does it mean to be “established” in the EU?
The GDPR purports to apply to companies that process data “in the context of the activities of an establishment . . . in the Union.” 1 Although the regulation does not offer a precise definition of what it means to be an “establishment,” it offers the following hints:
-
Stable Arrangement. According to the GDPR establishment “implies the effective and real exercise of activity through stable arrangements.”2
-
Legal Form May Be Relevant, But Is Not Determinative. The GDPR states that if an entity is active in the European Union the legal form of those activities “whether through a branch or a subsidiary with a legal personality, is not the determining factor” when deciding whether the entity is “established.”3 Put differently, the fact that a company is not incorporated in the EU does not necessarily mean that it does not have an “establishment” in the EU.
-
Location of Infrastructure May Be Relevant, But Is Not Determinative. The GDPR states that “presence and use of technical means and technologies for processing” within the European Union is not the “determining criteria” of whether a company’s “main establishment” is in the European Union, but it implies that it may be one factor of whether an establishment exists.4
-
Central Administration Is a Factor. The GDPR refers to the "central administration” of an organization as typically its “main”5 The net result is that if an organization coordinates its activities from an EU member state the organization is likely to be found to have an establishment in that member state.
-
Decision Making Is a Factor. The place where “decisions on the purposes and means of the processing of personal data” are made is a factor when determining where a company’s “main establishment” may be located.6
The Working Party, the organization charged with interpreting the GDPR, has provided little additional context other than to advise companies to look to judicial interpretation stating that ultimately "[t]he place at which a controller is established . . . [h]as to be determined in conformity with the case law of the Court of Justice of the European Communities."7 The European Court of Justice in turn has provided two additional indications of what factors may be relevant when determining whether an entity has an establishment in the EU.
First, although the existence of a legal entity may not be determinative, the ECJ has confirmed that it is probative. Specifically, the ECJ held in Weltimmo v. Nemzeti Adtvedelmi es Informacioszabadsag Hatosag, that if a company is registered in an EU country, it would be considered established in that country. Similarly in Google v. Spain, the ECJ held that if there is a "[s]eparate legal personality" that "constitutes a subsidiary" of an American company, but the subsidiary is on the soil of an EU member state, the subsidiary would be considered an "establishment" within the EU.8
Second, the ECJ has looked to whether a company has employees or a legal representative physically in a country. For example in Weltimmo, the ECJ held that the "presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment. . ."9
[View source.]
