OPINION 4/2024 – EDPB REGARDING NOTION OF MAIN ESTABLISHMENT OF A CONTROLLER IN THE EU

By Mugurel Olariu, RPD protectie date

The French Supervisory Authority (AS FR) has requested the European Data Protection Board to issue an opinion on the notion of the main establishment of an operator under Article 4(16)(a) of the GDPR and on the criteria for applying the mechanism single window, in particular as regards the notion of the operator’s “place of central administration” in the Union.

We note that in the matter, the EDPB adopted Guidelines 8/2022 for the identification of the main supervisory authority of the operator or the person authorized by the operator, version 2.0 on March 28, 2023 [1]. The Board appreciates that the request addressed by AS FR refers to the application of the notion of the main establishment of the operator under Article 4(16)(a) GDPR, which has important consequences for the practical application of the one-stop-shop mechanism. Therefore, this request concerns a “matter of general application” within the meaning of Article 64(2) GDPR, as it concerns the consistent interpretation of the limits of powers of Supervisory Authorities (SAs) to ensure, inter alia, a consistent practice of cooperation between SA in accordance with Chapter VII, Section 1 GDPR.

Thus, the Board analyzes and clarifies how the SA should apply Article 4(16)(a) of the GDPR in practice to ensure its consistent application. In particular, the Board reiterates that the burden of proof in relation to where the relevant processing decisions are made and where there is power to enforce such decisions in the Union ultimately rests with the controllers and that they have an obligation to cooperate with the authorities of supervision.

Considering the literal interpretation of the legal provision, the Board notes that Article 4(16)(a) GDPR is divided into three parts. There is first the condition that an operator has establishments in more than one Member State in the Union (first part). In addition, if this condition is met, the second and third parts provide for two possibilities where one of these establishments can qualify as the main establishment of the operator. This is the case when the seat corresponds to the “place of central administration in the Union” of the controller (part two), unless “another unit of the controller in the Union” takes “decisions on the purposes and means of the processing of personal data” and “has power to enforce such decisions” (part three).

The Board believes that, in order to respond to AS FR’s request, it has to answer two questions:

Question 1: For a controller’s “place of central administration in the Union” to be qualified as a main establishment under Article 4(16)(a) GDPR, should this establishment take decisions on the purposes and means of the processing and have the power to have them implemented?

Question 2: Does the one-stop-shop mechanism apply only if there is evidence that one of the establishments in the Union of the controller (the controller’s “place of central administration” or not) takes the decisions on the purposes and means concerning the processing operations in question and has the power to have such decisions implemented?

The Board concludes in this opinion that a controller’s “place of central administration” in the Union can be considered a main unit under Article 4(16)(a) of the GDPR only if it makes decisions about the purposes and means of processing personal data and has the power to enforce these decisions.

In addition, the Board considers that the one-stop-shop mechanism can only apply if there is evidence that one of the controller’s units in the Union makes the decisions about the purposes and means for the relevant processing operations and has the power to enforce those decisions. Therefore, when the decisions on the ends and means and the power to implement such decisions are exercised outside the Union, there should be no main unit under Article 4(16)(a) GDPR and the mechanism the one-stop shop should not apply.

Finally, the Board clarifies that SA retain the ability to challenge the operator’s claim based on an objective examination of the relevant facts, requesting additional information where necessary. For this review, the Board recalls the duty of the SAs to cooperate and that they should therefore agree on the appropriate level of detail on a case-by-case basis. In particular, the determination of a place of central management in the Union (e.g. regional headquarters) constitutes a starting point that helps the SA to identify where decisions on the purposes and means of processing are possibly made and the power to enforce those decisions. However, there will still be a need for the SA to assess where the ends and means decisions are made and where there is power to enforce such decisions in the Union before qualifying that unit (or any other unit in the union ) as the main establishment.

Practically, the Board provides answers to the two questions in the conclusions of its Opinion 4/2024 [2], as follows:

  • a controller’s “place of central administration” in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has power to have these decisions implemented.
  • the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have such decisions implemented.

[1] https://www.edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_ro

[2] https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-042024 -notion-main-establishment_ro

Articolul precedentGambling Market size in UK to record USD 3.28 billion growth from 2024-2028
Articolul următorCasino Guru Launches “Safer Gambling Talks” Webinar Series with Šimon Vincze

ARTICOLE SIMILAREDE LA ACELAȘI AUTOR