Main Establishment Determination (EDPB Opinion 04/2024)

Main Establishment Determination (EDPB Opinion 04/2024) – A Comprehensive Guide

Why Is Main Establishment Determination Important?

The concept of main establishment is one of the cornerstones of the GDPR's enforcement architecture. It directly determines which supervisory authority acts as the Lead Supervisory Authority (LSA) under the one-stop-shop mechanism (Article 56 GDPR). If the main establishment is incorrectly identified, the entire cooperative enforcement process can be derailed — leading to jurisdictional disputes, delayed investigations, and potential legal challenges to enforcement decisions. For organisations operating across multiple EU/EEA Member States, correctly determining the main establishment is critical for legal certainty, efficient regulatory engagement, and compliance strategy.

The European Data Protection Board (EDPB) Opinion 04/2024 was issued to provide further clarity and guidance on how to determine the main establishment, building on the foundational criteria in the GDPR and earlier EDPB (formerly Article 29 Working Party) guidelines. This opinion addresses practical difficulties that had arisen in real-world enforcement, particularly where corporate structures are complex or where decision-making about data processing is distributed across several locations.

What Is Main Establishment?

Under Article 4(16) GDPR, main establishment is defined differently depending on whether the entity is a controller or a processor:

For a Controller:
The main establishment is the place of its central administration in the EU/EEA, unless the decisions on the purposes and means of processing are taken in another establishment — in which case, that establishment is the main establishment.

For a Processor:
The main establishment is the place of its central administration in the EU/EEA, or, if it has no central administration in the EU/EEA, the establishment where the main processing activities take place.

The key principle is that the main establishment should reflect where effective and real decision-making power regarding data processing activities resides — not merely where the registered office or headquarters is located on paper.

EDPB Opinion 04/2024: Key Clarifications

The EDPB Opinion 04/2024 refined the analysis in several important ways:

1. Substance Over Form
The EDPB reinforced that the determination must be based on a factual assessment of where decisions about the purposes and means of processing are actually made. A company cannot simply designate a main establishment for convenience; the designation must correspond to operational reality. Corporate declarations or self-designations are relevant but not dispositive — supervisory authorities will look behind them to verify the actual decision-making structure.

2. The Role of Central Administration
Central administration serves as a rebuttable presumption or starting point. If a controller has its central administration (e.g., EU headquarters) in one Member State, this is presumed to be the main establishment unless evidence shows that decisions on purposes and means are taken elsewhere. The EDPB stressed that supervisory authorities should examine organisational charts, reporting lines, board meeting locations, the role of Data Protection Officers, and where senior management with authority over processing decisions is based.

3. Decisions on Purposes and Means
The Opinion clarified what counts as decisions on purposes and means of processing. This includes strategic decisions such as:
- Why personal data is being processed (the purpose)
- What categories of data are collected
- Who the data is shared with
- How long data is retained
- What technical and organisational measures are adopted

Routine operational decisions (e.g., day-to-day IT maintenance) do not determine the main establishment. The focus is on high-level, strategic decision-making.

4. Cross-Border Processing
The concept of main establishment only matters in the context of cross-border processing (Article 4(23) GDPR). If processing takes place in the context of activities of establishments in more than one Member State, or if processing in a single establishment substantially affects data subjects in more than one Member State, the one-stop-shop mechanism and the main establishment concept are engaged.

5. Multiple Processing Activities
The EDPB acknowledged that a controller may carry out several distinct processing activities, and the decision-making for each may be located in different establishments. In such cases, there may be different lead supervisory authorities for different processing activities. The main establishment is determined per processing activity or per set of closely related processing activities, not necessarily for the organisation as a whole.

6. Evidence and Documentation
The EDPB encouraged controllers and processors to maintain clear documentation evidencing where decisions about processing are made. This includes internal policies, data protection impact assessments, records of processing activities (Article 30 GDPR), and the organisational placement of the DPO. Supervisory authorities may request such documentation when assessing main establishment claims.

7. Non-EU Entities With Multiple EU Establishments
For controllers or processors headquartered outside the EU/EEA but with multiple establishments within the EU/EEA, the analysis focuses on which EU/EEA establishment exercises effective decision-making power over the relevant processing activities. The mere appointment of an EU representative under Article 27 GDPR does not create a main establishment.

How Does Main Establishment Determination Work in Practice?

Step-by-step, the determination process typically works as follows:

Step 1: Identify whether the entity has one or more establishments in the EU/EEA. An establishment requires a stable arrangement through which activity is effectively exercised (even a single employee can suffice, per CJEU case law in Weltimmo).

Step 2: If there is only one EU/EEA establishment, that establishment is the main establishment by default for purposes of the one-stop-shop mechanism.

Step 3: If there are multiple EU/EEA establishments, identify where the central administration is located. This creates a starting presumption.

Step 4: Assess whether decisions on the purposes and means of the specific processing activity under scrutiny are made at the central administration or at a different establishment. Look at real decision-making power, not formal designations alone.

Step 5: If decisions are made at a different establishment, that establishment is the main establishment for that processing activity.

Step 6: The supervisory authority of the Member State where the main establishment is located becomes the Lead Supervisory Authority (LSA) for that cross-border processing activity under Articles 56 and 60 GDPR.

Step 7: Other concerned supervisory authorities become Concerned Supervisory Authorities (CSAs) and participate in the cooperation and consistency mechanisms.

Practical Example:
A global technology company has its EU headquarters (central administration) in Dublin, Ireland. However, decisions about a specific marketing data processing activity — including the purpose of profiling and the categories of personal data used — are made by a team based in Berlin, Germany. Under EDPB Opinion 04/2024, the main establishment for that particular processing activity would be Berlin, making the German supervisory authority (BfDI or the relevant Landesdatenschutzbeauftragte) the Lead Supervisory Authority for that activity, even though Dublin remains the central administration for the company overall.

Common Pitfalls and Misconceptions

- Pitfall 1: Assuming the registered office is always the main establishment. It is not — substance over form applies.
- Pitfall 2: Believing a controller can freely choose its main establishment for strategic reasons (forum shopping). The EDPB has been clear that the determination must reflect reality.
- Pitfall 3: Confusing the location of data storage or servers with the main establishment. Where data is physically stored is generally irrelevant to this determination.
- Pitfall 4: Assuming there is always one single main establishment for all of an organisation's processing activities. Different activities may have different main establishments.
- Pitfall 5: Conflating the role of a EU representative (Article 27) with having a main establishment. A representative does not constitute an establishment.

Exam Tips: Answering Questions on Main Establishment Determination (EDPB Opinion 04/2024)

Tip 1: Start With the Legal Definition
Always begin your answer by citing Article 4(16) GDPR and distinguishing between the definition for controllers and processors. This shows the examiner you know the foundational legal text.

Tip 2: Emphasise Substance Over Form
A top-scoring answer will stress that main establishment is determined by where decisions on purposes and means are actually made, not by formal corporate designations. Reference the EDPB's emphasis on factual assessment in Opinion 04/2024.

Tip 3: Link to the One-Stop-Shop Mechanism
Explain why main establishment matters — it determines the Lead Supervisory Authority under Articles 56 and 60 GDPR. This demonstrates you understand the broader enforcement context.

Tip 4: Distinguish Central Administration From Decision-Making Location
If the exam question involves a scenario where the headquarters is in one country but processing decisions are made in another, clearly explain the rebuttal of the central administration presumption. This is a classic exam scenario.

Tip 5: Address Per-Activity Determination
If the scenario involves multiple processing activities, note that the main establishment may differ for each activity. This is a nuanced point from EDPB Opinion 04/2024 that can earn extra marks.

Tip 6: Reference Key Criteria
When analysing a scenario, consider and mention these factors: location of senior management making processing decisions, where the DPO is based, organisational reporting lines, where data protection policies are drafted and approved, and where DPIAs are conducted.

Tip 7: Watch for Non-EU Headquartered Entities
If the scenario involves a company headquartered outside the EU with multiple EU establishments, note that the analysis focuses on which EU establishment holds decision-making power. Also clarify that an Article 27 representative alone does not create a main establishment.

Tip 8: Use the Correct Terminology
Use terms like Lead Supervisory Authority, Concerned Supervisory Authority, one-stop-shop mechanism, cross-border processing, and central administration precisely. Sloppy terminology loses marks in CIPP/E exams.

Tip 9: Cite Relevant Sources
Where possible, reference: Article 4(16) GDPR (definition), Article 4(23) GDPR (cross-border processing), Articles 56 and 60 GDPR (LSA and cooperation), EDPB Opinion 04/2024, earlier Article 29 Working Party Guidelines on Lead Supervisory Authority (WP244 rev.01), and the CJEU Weltimmo decision on the concept of establishment.

Tip 10: Structure Your Answer Logically
For scenario-based questions, follow a structured approach: (1) identify the establishments, (2) identify the central administration, (3) assess where decisions on purposes and means are made, (4) determine the main establishment, (5) identify the LSA, and (6) note any complications or alternative analyses. A structured answer demonstrates analytical rigour and is much easier for examiners to award marks to.

Tip 11: Be Prepared for Ambiguity
Some exam scenarios are deliberately ambiguous. In such cases, present both possible interpretations, explain the factors supporting each, and conclude with the more likely determination based on the EDPB's guidance. Showing you can reason through uncertainty is a hallmark of a strong candidate.

Summary

Main establishment determination is a critical concept linking corporate structure to regulatory jurisdiction under the GDPR. EDPB Opinion 04/2024 reinforces that this determination must be grounded in factual reality — focusing on where strategic decisions about data processing purposes and means are genuinely made. Understanding this concept thoroughly, and being able to apply it to complex scenarios, is essential for both CIPP/E exam success and real-world data protection practice.