The topic of Opinion 04/2024, issued by the European Data Protection Board (EDPB) on February 13, 2024, is the notion of a data controller’s main establishment in the Union under Article 4(16)(a) of the GDPR.
It was the French supervisory authority (CNIL) that requested the opinion from the EDPB; in fact, Article 64(2) of the GDPR provides for the possibility of requesting an opinion from the EDPB by a supervisory authority when it considers a matter of general application or having effect in more than one Member State.
Before issuing the opinion, the EDPB checked the admissibility of the request, ascertaining that:
- it related to the application of the notion of the main establishment of the controller under Article 4(16)(a) of the GDPR
- the request had important consequences for the practical application of the one-stop-shop mechanism; and
- the EDPB itself had not yet ruled on the matter.
The EDPB also confirmed that the request was reasoned and demonstrated the need for consistent interpretation of the provision among supervisory authorities.
Why is the establishment called “main”?
The notion of “main establishment” is defined in the GDPR in Article 4(16), distinguishing between the two hypotheses of:
- main establishment of the controller [Art. 4(16)(a)]
- main establishment of the processor [Art. 4(16)(b)].
The establishment is called a ” main” establishment because it covers the case where a controller or processor has establishments in more than one member state, so it is necessary to identify the ” main” one to which the lead supervisory authority corresponds, i.e., the supervisory authority that has jurisdiction in the member state where the main establishment is located.