DATA PROTECTION | The EDPB on the notion of a data controller’s main establishment

On 13 February 2024, the European Data Protection Board (EDPB) adopted an opinion regarding the identification of a data controller’s main establishment pursuant to Article 4.16(a) of the GDPR. The EDPB’s position emphasises that a controller’s “place of central administration” in the EU can be identified as a main establishment only if it is responsible for deciding on the purposes and means of the processing of personal data and if it has the power to have such decisions implemented. Furthermore, the EDPB clarifies that the One-Stop-Shop mechanism applies only if there is evidence demonstrating that one of the controller’s business premises in the EU qualifies as a main establishment. Indeed, if no organisation within the Union meets this requirement, there should be no main establishment of the controller in the Union. Lastly, the EDPB underscores the data controller’s responsibility to identify its main establishment and provide supporting evidence to the supervisory authority that is empowered to review and challenge the controller’s analysis.

Newsletter n. 94 – March 2024