The European Data Protection Board (EDPB) recently published an opinion on how to interpret the definition of “main establishment” for the one-stop-shop mechanism in the EU General Data Protection Regulation (GDPR).
Background
Organisations that are based in multiple EU countries may have to communicate with each national authority individually to ensure that they comply with their responsibilities as “data controllers” under the GDPR.
However, if the one-stop-shop mechanism applies then data controllers will only need to liaise with a single “lead authority” which will represent all other relevant authorities. By doing this, controllers can ensure that any data protection issues are resolved quickly and reduce their administrative burden.
For this mechanism to apply, the controller’s main establishment must be in an EU member state. A main establishment is defined as “the place of its central administration” (PoCA) in the EU, unless it has an establishment in another member state which has the power to make and implement decisions on the purposes and means of the processing of personal data.
The French data protection authority sought clarification on this provision, due to uncertainty over whether it is enough for a controller to have a PoCA in the EU, or if this PoCA must also be able to make and implement data processing decisions. This is an issue for national authorities which may need to investigate the powers of a controller’s PoCA before they can designate a single point of contact.
The EDPB’s opinion addresses this issue by confirming the following points. The opinion applies specifically to the EU GDPR, as opposed to the UK GDPR.
The EDPB’s opinion
A PoCA is likely, but not guaranteed, to be the main establishment. Data controllers must assess whether their PoCA has the power to make and implement data processing decisions, or if this responsibility has been delegated to their establishment in a different member state.
The reference to PoCAs in the GDPR simply establishes a starting point for determining where a controller’s data processing powers lie. National authorities should agree who will act as the lead authority for the controller to communicate with, based on the evidence.
Data controllers that operate internationally may make their data processing decisions in a non-EU country. If a controller does not have its main establishment in a member state, then it will not benefit from the one-stop-shop mechanism. This will be particularly relevant for companies that primarily operate in a non-EU country (such as the UK) but have an EU presence.
Practical considerations
As the location of a main establishment must be verified by national authorities, data controllers cannot use their PoCA to decide which national authority they will communicate with when data protection issues arise (commonly referred to as “forum shopping”).
To benefit from the one-stop-shop mechanism, controllers should inform the relevant national authorities of the location of their PoCA, and whether the PoCA has the power to make and implement data processing decisions.
National authorities can then, based on the evidence, decide who should act as the controller’s lead supervisory authority, or that no main establishment exists within the EU.
Please contact us if you require advice on data protection compliance.