European Union: EDPB Provides Guidance On Determining A 'Main Establishment' And The 'One-Stop-Shop' Mechanism

On February 13 2024, the European Data Protection Board ("EDPB") adopted an opinion on the concept of a data controller's main establishment under Article 4(16)(a) of the General Data Protection Regulation ("GDPR") and whether the one-stop-shop mechanism can be relied upon by organisations to communicate with just one European supervisory data protection authority ("SA") about GDPR compliance rather than multiple SAs in up to twenty-seven countries across the European Union.

Making a decision about whether an organisation can legitimately rely on the one-stop-shop mechanism under the GDPR is often of critical importance to a controller when attempting to respond to crisis events such as cyber attacks.

The opinion was issued in response to a request by the French Data Protection Authority and provides guidance on the conditions for determining a controller's main establishment where that controller has establishments in more than one EU Member State, and the application of the one-stop-shop mechanism which enables an organisation engaged in cross-border processing to deal with a lead supervisory authority ("LSA").

Identifying the main establishment

The opinion concludes that a controller's "place of central administration" in the EU will be its main establishment under Article 4(16)(a) GDPR if two conditions are met:

1. it takes the decisions on the purposes and means of the processing of personal data and;
2. it has the power to have such decisions implemented.

The burden of proof falls on controllers to demonstrate that they have met these criteria and they have a duty to cooperate with the SAs with respect to the making of this assessment. Controllers intending to specify their main establishment can evidence this with various material, such as the effective records of processing activities under Article 30 GDPR, or the organisation's privacy policy. The opinion reaffirms that the determination should be based on objective criteria rather than a subjective designation.

Claims of the controller are subject to review by national SAs who can use their powers under Article 58(1)(a) GDPR to contact a relevant establishment of the controller or rely on assistance from another SA to obtain necessary information under Article 61 GDPR. SAs are also under a duty to cooperate and should jointly agree on the level of detail appropriate when making their assessment, depending on the specific circumstances.

Where a claim is rebutted, the SA in charge of collecting evidence should contact the relevant establishment of the organisation and inform them of its conclusion.

One-stop-shop mechanism

The LSA must be the SA of the European Union Member State where the organisation's main establishment is located. The opinion explains that the one-stop-shop mechanism can only apply if there is evidence that one of the controller's establishments in the EU meets the two main establishment conditions listed above.

Consequently, the mechanism cannot apply where processing decisions are made outside of the EU. Equally, the mechanism cannot apply where EU establishments do not take decisions on the purposes and means of processing, or do not have the power to implement those decisions.

If the one-stop-shop mechanism does not apply, national SAs remain competent to take individual action, as appropriate. So it is very important that organisations take action to assess and determine in which country (if any) they may have their main establishment for the purposes of the GDPR so that the relevant LSA can be designated in its GDPR compliance documentation to support any claim that might have to be made at a later date that it only has to notify one SA (the LSA) of critical events from a GDPR compliance perspective, such as personal data breaches. Otherwise organisations risk being in a position where they are forced to communicate individually with SAs in up to twenty-seven countries at the same time as responding to a crisis scenario such as a cyber incident.

Originally Published 28 February 2024

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.