European Union: Issued EDPB Opinion on the Notion of "Main Establishment of a Controller" under GDPR

On 13 February 2024, the European Data Protection Board (EDPB) issued an opinion on the notion of "main establishment of a controller" under Article 4(16)(a) GDPR and on the criteria for the application of the one-stop-shop mechanism. The opinion was requested by the French Supervisory Authority (FR SA) to clarify the definition of a controller's "place of central administration" in the Union. The EDPB concluded that a controller’s "place of central administration" in the Union can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to have these decisions implemented. Furthermore, the one-stop-shop mechanism can only apply if there is evidence that one of the establishments in the Union of the controller makes the decisions on the purposes and means for the relevant processing operations.