In its February plenary, the European Data Protection Board (EDPB) adopted an Opinion on the concept of main establishments and the criteria for the application of the One-Stop-Shop mechanism. The opinion was issued in response to a request by the French Data Protection Authority (DPA) under Article 64(2) of the EU General Data Protection Regulation (GDPR) and specifically clarifies whether the concept of a controller's main establishment in the EU applies in cases where decisions about processing are made outside of the EU.
The EDPB Opinion states that a controller's "place of central administration" in the EU can be only considered a main establishment under Article 4(16)(a) of the GDPR if it has the power to make decisions on the purposes and means of processing personal data and can implement those decisions. Consequently, the One-Stop-Shop mechanism can only apply if one of the controller's establishments in the EU makes decisions about the purposes and means of processing and has the power to implement those decisions. The opinion is part of the EDPB's effort to enhance cooperation among DPAs in cross-border enforcement.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.