International companies headquartered outside the EU but established in several European Member States are facing the question how to determine their main establishment in the Union. In the Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244 of the Article 29 Working Party, endorsed by the EDPB) this question has been left open to a large extent:
There will be borderline and complex situations where it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration in the EU and none of the EU establishments are taking decisions about the processing (i.e. decisions are taken exclusively outside of the EU) (§ 2.2).
The Guidelines recognize that the GDPR does not provide a clear solution for this situation:
In these circumstances, the company should designate the establishment that has the authority to implement decisions about the processing activity and to take liability for the processing, including having sufficient assets, as its main establishment.
Does this mean that the main establishment of a controller should always be a controller as well?
According to the definition in Art. 4, (16)(a) GDPR, “main establishment” means
as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union.
The exception after the “unless …” does, in other words, not apply if the decisions on the purposes and means are taken in an establishment outside the Union.
Art. 4 (16)(a) also states that the main establishment of the controller is not the place of its central administration if another establishment in the Union has the power to have the decisions on the purposes and means of the personal data processing implemented, “in which case the establishment having taken such decisions is to be considered to be the main establishment”.
To put it in another way, the place of the central administration of the controller in the Union is not its “main establishment” if another establishment in the Union has the controllership of the personal data processing of the controller. This exception covers the hypothesis wherein the decisions on the purposes and means of the processing are not taken at the location of the central administration but in one of the other establishments of the controller in the Union. In such case, the establishment of the controller where the decisions on the means and purposes of the processing are taken, will be considered as the “main establishment”.
Recital 36 of the GDPR clarifies in general terms how the place of the central administration must be determined. It states:
The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.
One could say: the place of the central administration of a controller should be the place where management activities are exercised with a view on the basic decisions (German version: “die Grundsatzentscheidungen”) of the controller about the purposes and means of processing. These decisions can be taken elsewhere by the controller, for example in the headquarters outside the EU.
Let us illustrate this by a simple example of a multinational with its headquarters located in the US and subsidiaries in several EU Member States. Carolina, the regional HR manager for Europe and her team, coordinating the HR management of all subsidiaries in that region, has her offices in the Amsterdam subsidiary. This location, a production unit, has been chosen because Carolina is a Dutch citizen, having her husband and children in the Netherlands. Moreover, the Amsterdam subsidiary has some unoccupied office space which makes it convenient to host her and her team at this location.
While Carolina and her team are hosted by the Amsterdam subsidiary, she directly reports to the central HR management at the US headquarters. Amsterdam is the place of the central HR management of the controller in the Union. Carolina and her team effectively and really exercise management activities with a view on (Dutch version: “met het oog op”) the basic decisions to be taken by the controller on the purposes and means of personal data processing.
And because they have their offices on the premises of the Amsterdam subsidiary, they do so “through stable arrangements”. The subsidiary itself on the other hand, as a legal person, does not in any way participate in the decision-making process of the company on the purposes and means of data processing. As far as it processes data relating to its own workers, it operates as a processor, on behalf of the controller in the US.
One could ask why Recital 36 requires that the management activities must have a link with the core decision-making process on the purposes and means of personal data processing. The reason seems obvious. “Central administration” can also refer to central property management, to central maintenance of production lines or to other activities without any relation to personal data processing. This is not the kind of central administration the GDPR is referring to. The concept primarily refers to human resources, customer relations and other activities involving the processing of personal data.
In practice, controllers headquartered outside the Union and established in more than one Member State in the Union, must be cautious. If they wish to benefit from the so-called “one-stop mechanism” they are forced to designate one of their subsidiaries as the main establishment. The designation will, however, only be approved, if this subsidiary is really and effectively the place where management activities are exercised in the framework of which (in the German version of Recital 36: “in deren Rahmen”) the controller takes the basic decisions on the purposes and means of its personal data processing in the Union.
The above-cited Guidelines issued by the former Article 29 Working Party warn:
The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions. Effective records of data processing activity would help both organisations and supervisory authorities to determine the lead authority.