The opinion was issued in response to a request by the French Data Protection Authority and provides guidance on the conditions for determining a controller's main establishment where that controller has establishments in more than one EU Member State, and the application of the one-stop-shop mechanism which enables an organisation engaged in cross-border processing to deal with a lead supervisory authority ("LSA").
Identifying the main establishment
The opinion concludes that a controller's "place of central administration" in the EU will be its main establishment under Article 4(16)(a) GDPR if two conditions are met:
- it takes the decisions on the purposes and means of the processing of personal data and;
- it has the power to have such decisions implemented.
The burden of proof falls on controllers to demonstrate that they have met these criteria and they have a duty to cooperate with the SAs with respect to the making of this assessment. Controllers intending to specify their main establishment can evidence this with various material, such as the effective records of processing activities under Article 30 GDPR, or the organisation's privacy policy. The opinion reaffirms that the determination should be based on objective criteria rather than a subjective designation.
Claims of the controller are subject to review by national SAs who can use their powers under Article 58(1)(a) GDPR to contact a relevant establishment of the controller or rely on assistance from another SA to obtain necessary information under Article 61 GDPR. SAs are also under a duty to cooperate and should jointly agree on the level of detail appropriate when making their assessment, depending on the specific circumstances.
Where a claim is rebutted, the SA in charge of collecting evidence should contact the relevant establishment of the organisation and inform them of its conclusion.
One-stop-shop mechanism
The LSA must be the SA of the European Union Member State where the organisation's main establishment is located. The opinion explains that the one-stop-shop mechanism can only apply if there is evidence that one of the controller's establishments in the EU meets the two main establishment conditions listed above.
Consequently, the mechanism cannot apply where processing decisions are made outside of the EU. Equally, the mechanism cannot apply where EU establishments do not take decisions on the purposes and means of processing, or do not have the power to implement those decisions.
If the one-stop-shop mechanism does not apply, national SAs remain competent to take individual action, as appropriate. So it is very important that organisations take action to assess and determine in which country (if any) they may have their main establishment for the purposes of the GDPR so that the relevant LSA can be designated in its GDPR compliance documentation to support any claim that might have to be made at a later date that it only has to notify one SA (the LSA) of critical events from a GDPR compliance perspective, such as personal data breaches. Otherwise organisations risk being in a position where they are forced to communicate individually with SAs in up to twenty-seven countries at the same time as responding to a crisis scenario such as a cyber incident.
