The European Data Protection Board recently clarified the one-stop-shop test and in particular, the notion of “main establishment” under GDPR. This is relevant to businesses engaged in cross border activities within the European Union or looking to establish in a Member State. Technology partner, Robert McDonagh examines the scope and impact of the EDPB’s opinion and whether the rationale for their position stands up to scrutiny.

The European Data Protection Board (EDPB) issued an opinion on 13 February 2024 clarifying the one-stop-shop (OSS) test and, in particular, what is a “main establishment” under Article 4(16) of the GDPR. The opinion is relevant to any existing businesses with cross-border activities in the EU as well as those considering establishing themselves in the EU. It highlights the need to put in place robust decision-making and governance frameworks to benefit from OSS.

While the EDPB’s opinion is broadly consistent with prior guidelines, it is however debatable whether its position is correct.

Why is identifying an organisation’s “main establishment” important?

If an organisation has more than one EU establishment, identifying its “main establishment” is critical as this determines its “lead supervisory authority” (LSA) under the OSS test (Article 56). The LSA is the controller’s sole interlocutor and leads all inquiries into the controller’s EEA data processing activity. This means other EU supervisory authorities (SAs) cannot directly regulate the controller, except in limited circumstances.

If a controller has more than one establishment in the EU, its “main” establishment is the place of its central administration in the EU. This is the case “unless” another one of its EU establishments takes “the decisions on the purposes and means of the processing of personal data” and “has the power to have such decisions implemented” (Article 4(16)).

The EDPB has repeatedly made clear that the GDPR does not permit “forum shopping” and the identification of the “main establishment” must be based on objective criteria.

Key takeaways

• An organisation’s place of central administration in the EU, e.g. regional headquarters, can be considered as a “main establishment” for the OSS test, provided that it (a) takes the decisions on the purposes and means of the processing of personal data and (b) has power to have these decisions implemented.
• Where there is no evidence that (a) and (b) lie with the place of central administration in the EU or with “another establishment of the controller in the Union”, i.e. if these take place outside the EU, there is no “main establishment” for that processing. In those cases, OSS should not apply.
• From a practical perspective, controllers bear the burden of proving which of its establishments makes the processing decisions and has the power to implement those decisions. Those claims are subject to review by the SAs, who have the ability to challenge the controller and request further information where required.
• The EDPB suggests that effective Article 30 GDPR records of processing activities (ROPA) and privacy policies can be a means of supporting a controller’s claim of main establishment.
• SAs should share their assessment and conclusion regarding a controller’s main establishment with all other concerned SAs. This enables other SAs to push back on this assessment and refer the matter to the EDPB for determination under the Article 63 GDPR consistency mechanism.

Is the EDPB right?

The EDPB’s position remains consistent with previous guidance, including Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority. However, there is some debate about whether its position is correct.

Article 4(16) GDPR states that:

“as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”.

Despite the EDPB’s position, this does not say that a place of central administration must take decisions on purposes and means to be the “main establishment”. Instead, it provides for the central administration to be displaced as the main establishment where another EU establishment makes these decisions and has the power to implement them.

This issue was previously considered by France’s highest administration court, Conseil d’État.[1] The Conseil d’État equated the place of the central administration to “the place of its real seat”. It clarified that if a non-EU controller has “neither a central administration nor an establishment with decision-making power as to its purposes and means” in the EU, OSS does not apply, i.e. where these two cumulative negative conditions are not met.

Unlike the EDPB’s opinion, this allows for a central administration to be the main establishment even where one of these conditions is not met. This would be the case, for example, where the decision-making power regarding the purposes and means of processing sits outside the EU, rather than with the EU central administration. This could arise where the establishment exercises sufficient power of direction or control over other EU subsidiaries to constitute the “real seat” or central administration in the EU, even though it does not (and no other EU establishment does not) make decisions on the purposes and means of processing of personal data.

Whilst Recital 36 GDPR does say that the “main establishment” should imply the effective and real exercise of management activities “determining the main decisions as to the purposes and means of processing through stable arrangement”, Recitals are not binding. In addition, and notably, this requirement is not reflected in Article 4(16) at least regarding the “central administration” criterion, allowing for a different interpretation potentially.

The EDPB’s more restrictive interpretation of the OSS test does not serve the GDPR’s objective of providing for consistent regulation. Instead, this interpretation can result in further fragmentation as a result of multiple SAs regulating a single controller.

What does the new opinion mean for organisations?

Overall, the opinion is broadly consistent with the EDPB’s existing guidelines.

It is clear from the opinion that identifying an organisation’s place of central management or headquarters is a good starting point. However, it is crucial for organisations to have evidence demonstrating where the decisions about your organisation’s data processing activities are taking place, and where the power for implementing those decisions lies, in order to support a claim of “main establishment”. Organisations should expect to be challenged by SAs and so must ensure that they have relevant measures in place, such as appropriate governance and decision-making frameworks, robust policies and procedures and effective GDPR accountability documents such as ROPAs, to substantiate their position.

We work extensively with clients on developing governance and decision-making frameworks to enable them to do so.

For more information and expert advice on related matters, contact a member of our Privacy & Data Security team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

People also ask

[1] Decision no. 430810