Author: Sebastian Bretthauer
(16) “main establishment” means:
- (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
I. Overview
Art. 4(16) GDPR contains a definition of the term ’main establishment’.[1] In systematic terms, that provision bears a close relation to the ‘one-stop-shop’ mechanism that was newly introduced into the GDPR and that plays an essential role in cross-border data processing by companies that were established in the EU.[2] The provision stipulates which one of several establishments of a company in the EU is to be qualified as its main establishment. Therefore, that provision is of particular importance for determining the lead supervisory authority (→ Art. 56 mn. 4 et seq.) in the context of cross-border data processing (→ Art. 4(23)).[3] The definition is relevant within the scope of application of Articles 56(1), 60(7), 60(9) and 65(1)(b) GDPR. For purposes of interpreting the provision, recital 36 should be considered, in particular, as it provides material reference points in that regard.
From a systematic point of view, the provision distinguishes between the main establishment of a controller (→ mn. 10 et seq.) and the main establishment of a processor (→ mn. 13 et seq.). Nevertheless, in both cases the decisive criterion for determining the main establishment is, in principle, the place of the central administration (→ mn. 7 et seq.). In this case, there must be several establishments in the EU. However, the GDPR does not define the criteria to be applied to an individual establishment (→ mn. 4 et seq.), as it does not contain a definition of the term ‘establishment’ itself.[4] Furthermore, the GDPR does not contain any provisions on the legal consequences of changing the main establishment (→ mn. 15) or on the determination of the main establishment in a group of undertakings (→ mn. 16).[5] Similarly, there are no specific rules on the interaction of a controller and a processor (→ mn. 17 et seq.), on joint controllers (→ mn. 19) and on the lack of a central administration in the EU (→ mn. 20 et seq.).
II. Legislative history
In the legislative process, the provision was only insignificantly changed.[6] The previously applicable European Data Protection Directive 95/46/EC did not contain a comparable definition.[7] The Commission’s proposal focused on the fact that a main establishment is the place where the basic decisions regarding the purposes, conditions and means of the processing of personal data are made.[8] The Parliament’s subsequent proposal made minor changes and added objective criteria to the proposal – such as the location of the controller or the main establishment of the processor – on the basis of which a qualification as a main establishment can be considered.[9] The Council’s proposal finally adopted the proposals to a large extent.[10] All three proposals agreed that the means and purposes of the personal data processing are decisive for determining the main establishment. In contrast, the place determined by the legal form of the enterprise is not relevant.[11]
III. Analysis
-
Establishments in more than one Member State
The determination of a main establishment presupposes that the controller or processor has several establishments in the EU. The GDPR does not contain a definition of the term ‘establishment’.[12] Only recital 22 provides an indication. According to this, an establishment requires the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
Before the GDPR came into force, the relevant criteria for determining establishment were derived, in particular, from recital 19 of the European Data Protection Directive 95/46/EC.[13] Therefore, the case law of the ECJ in this regard is also of particular relevance in the scope of application of the GDPR, because recital 19 of the European Data Protection Directive 95/46/EC and recital 22 of the GDPR are almost identical word for word. In particular, the ECJ’s Weltimmo decision can be read on interpreting the term establishment.[14] In principle, the term establishment is to be interpreted broadly.[15] This is because, according to its conception, the term is formed flexibly and distances itself from a purely formalistic view according to which an enterprise can only be established at the place where it is registered.[16] Rather, the degrees of stability of the arrangements as well as the effective exercise of activities are to be taken into account.[17] Even a minimal activity is sufficient in this respect.[18]
[…]
[1]For general remarks on the concept of establishment and data protection law see: Sancho, E.L. Rev. 2017, 42(4), 491 et seq.
[2]Kuner/Bygrave/Docksey, ‘Background and Evolution of the GDPR’, in Kuner/Bygrave/Docksey, 14.
[3]Tosoni, ‘Art. 4(16)’, in Kuner/Bygrave/Docksey, 227; Polenz, ‘Art. 4(16)’ in Simitis/Hornung/Spiecker gen. Döhmann, para. 1.
[4]Tosoni, ‘Art. 4(16)’ in Kuner/Bygrave/Docksey, 229.
[5]See also Tosoni, ‘Art. 4(16)’ in Kuner/Bygrave/Docksey, 235 et seq.
[6]Polenz, ‘Art. 4(16)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 2.
[7]Tosoni, ‘Art. 4(16)’ in Kuner/Bygrave/Docksey, 228.
[8]EC, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final, Art. 4(13).
[9]EP, European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012)0011 – C7-0025/2012 – 2012/0011(COD)), Art. 4(13).
[10]Council of the European Union, Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 9565/15, Art. 4(13).
[11]Polenz, ‘Art. 4(16)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 2.
[12]Tosoni, ‘Art. 4(16)’ in Kuner/Bygrave/Docksey, 229.
[13]Tosoni, ‘Art. 4(16)’ in Kuner/Bygrave/Docksey, 229; Polenz, ‘Art. 4(16)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 4.
[14]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639; see also Svantesson, IDPL 2016, 210 (211 et seq.).
[15]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, para. 31.
[16]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, para. 29; see also Sancho, E.L. Rev. 2017, 42(4), 491 (497 et seq.).
[17]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, para. 29.
[18]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, para. 31.