Author: Sebastian Bretthauer

(23) ‘cross-border processing’ means either:
– (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
– (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

I. Overview

Art. 4(23) GDPR contains a definition of the term ‘cross-border processing’. Art. 4(23)(a) refers to the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State (→ mn. 3), and Art. 4(23)(b) refers to the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State (→ mn. 6). The term ‘cross-border processing’ only appears in the GDPR in Art. 56 para. 1 and para. 6, as well as recital 56. Nevertheless, the legislator has created a corresponding definition, as the term represents a central point of reference in determining the competence of the lead supervisory authority (→ Art. 56 mn. 4 et seq.) and has a close systematic connection with the ‘one-stop-shop’ mechanism that was newly introduced into the GDPR. Cross-border processing refers exclusively to processing within the Union, in which at least two Member States must be concerned in different ways. Therefore, data processing related to third countries is not addressed by the provision.

II. Legislative history

The previously applicable European Data Protection Directive 95/46/EC did not contain a comparable definition. Neither the Commission’s proposal nor the Parliament’s proposal contained a corresponding term. The term first appeared in the Council’s proposal as a consequence of the implementation of the concept of the lead supervisory authority (Art. 56) and supervisory authorities concerned (Art. 4(22)) in the context of cooperation with cross-border processing scenarios.

III. Analysis
1. Establishments in more than one Member State, lit. a

Art. 4(23)(a) GDPR refers to the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or a processor in the Union, where the controller or processor is established in more than one Member State. The provision requires two elements that must be cumulatively present for a processing operation to be considered as cross-border processing. First, the controller or processor must have establishments in several Member States. Secondly, the processing must take place in the context of the activities of one of these establishments in more than one Member State. The connecting factor for cross-border data processing is therefore that the data processing is carried out in the context of establishments located in different Member States. The wording of the provision emphasises that the processing must actually take place in several establishments (‘… in the context of the activities of establishments …’), so that the unclear wording of recital 124 clause 1 (‘… in connection with the activities of an establishment …’) must be set aside when interpreting the provision.

The provision is essentially related to the characteristic of an establishment. Therefore, the case law of the ECJ on this criterion must be included (→ Art. 4(16) mn. 4 et seq.). In particular, the ECJ’s Weltimmo decision must be taken into account. According to that decision, the concept of establishment is to be interpreted broadly. The concept is flexible and distinct from a purely formalistic view. In particular, the degree of stability of the arrangements and the effective exercise of activities are decisive, and even minor activity is sufficient. Setting up an office, the activities of a sales representative or even the mere existence of a post office box in the territory of a Member State are sufficient to count toward the establishment of an establishment. The criteria for the existence of an establishment are therefore generally set low.

However, the provision does not apply to data processing operations that result solely from the fact that a controller and its processor are established in different Member States. The wording of the provision presupposes that the controller or processor are acting within the context of establishment activity. This corresponds in particular to the idea that cross-border processing triggers special consequences that are increased considerably compared to single processing operations. However, if there is no cross-border processing, there is no need for special coordination between different supervisory authorities. If there is nevertheless increased risk potential in such constellations, and this is addressed by lit. b (→ mn. 6 et seq.).

[…]