In the case of cross-border processing activities, companies do not have to deal with the supervisory authorities in all EU Member States concerned, but only with their lead supervisory authority at the location of the company’s main establishment.
In February 2024, the European Data Protection Board (EDPB) adopted an opinion that further clarifies the application of this one-stop shop mechanism. We set out the practical implications of the opinion and explain why international groups in particular should take note of it.
What is the One-Stop-Shop mechanism?
In principle, each supervisory authority is responsible for fulfilling the tasks under the General Data Protection Regulation (GDPR) on the territory of its own member state (Art. 55 GDPR). This means, among other things, that the authority of an EU member state is responsible for the supervision of companies based in that member state.
A significant exception to this is the one-stop-shop mechanism enshrined in Art. 56 GDPR. This means that in the case of cross-border processing activities, the supervisory authorities of all member states in which the cross-border processing takes place are not simultaneously responsible. Rather, the supervisory authority of the main establishment or the only establishment of the controller is generally responsible for monitoring such processing activities. This so-called lead supervisory authority is committed under Art. 60 GDPR to cooperate with the other supervisory authorities concerned and to endeavour to reach a consensus.
On the one hand, this is intended to ensure the GDPR is applied uniformly throughout the EU. On the other hand, the application of the one-stop shop procedure should also benefit the companies concerned. This will give them more legal certainty and a single point of contact. This should not only result in less effort, but also mean that companies can prioritise the interpretation of the GDPR by their own lead supervisory authority. Last but not least, this also means that the authority will generally use the same language as the company.
Determination of the main establishment according to GDPR
For companies with only one branch in the EU, determining the lead supervisory authority does not pose any problems. For companies with several branches in the EU, the supervisory authority of the company’s main branch is considered the lead supervisory authority. It is therefore essential to correctly determine which of the branches is the main establishment within the meaning of the GDPR.
According to Art. 4 No. 16 lit. a) GDPR, the place of the head office of a company in the EU is considered to be its main establishment, unless the decisions regarding the purposes and means of the processing activity of personal data are taken in another establishment of the controller in the EU and this establishment is authorised to have these decisions implemented. In such a case, the branch that makes such decisions is considered the main establishment.
In this regard, the EDPB emphasises in its opinion on the concept of main establishment that the head office of a company in the EU can only be regarded as the main establishment if the decisions regarding the purposes and means of the processing activity are actually taken there. In addition, it must also be authorised to implement the aforementioned decisions. This means that the parent company, for example, cannot automatically be considered the main establishment; rather, it must also be checked whether the decisions regarding processing activities are actually taken there. If this does not take place at the location of the head office, this cannot be regarded as the main establishment.
What happens if there is no principal place of business in the EU?
The EDPB has also commented on the constellation that the decisions regarding the purposes and means of processing activities are not taken in the EU. According to the EDPB, in such a case there is no main establishment within the meaning of the GDPR in the EU.
Accordingly, the one-stop shop procedure does not apply. Instead, the general policy applies, according to which each supervisory authority is authorised to monitor compliance with the GDPR in its own member state.
Practical implications for companies
It is up to each company to determine which of its branches in the EU is its main establishment. Companies are well advised to deal with this at an early stage – and not just in the event of an inspection – as this allows them to better manage their compliance efforts.
Objective criteria must be used for such an audit, as the GDPR does not allow for forum shopping, according to which a company could freely choose a supervisory authority.
If a company wishes to demonstrate to the supervisory authority which of its branches is to be regarded as its main establishment, it can, according to the EDPB opinion, refer to its documentation, such as in particular the records of processing activities and data protection regulatory documents. This makes it clear once again that companies should fulfil their obligations under the GDPR and create and regularly maintain their data protection documents.