A month ago, one of the latest opinions adopted by the European Data Protection Board on the designation of the Main Establishment went unnoticed. When processing personal data, any company liaises with the Privacy Guarantor of the State in which it has its main establishment. In the event that it is present in multiple states with its products and services, to simplify the procedure and avoid an increase in costs and time for compliance, the legislator offered the possibility of opting for the “one-stop-shop” mechanism (single window).
The reference point of the main factory
The company might only relate to the Authority of the country where it had its main factory. On this point, the French guarantor, the CNIL, recently asked the EDPB for clarification on the criteria for identifying this establishment. The letter of the regulation (art. 4,16 Gdpr) says that it is presumed to be the one where the central administration operates on the territory of the Union, «unless decisions on the purposes and means of the processing of personal data are adopted in another establishment of the controller in the Union and that the latter establishment has the power to order the execution of such decisions, in which case the establishment which has taken such decisions shall be considered to be the principal establishment’.
The interpretation of the EDPB
If, therefore, the factory is in Paris, but the decisions are taken in Stockholm, the Swedish Guarantor will be the company’s interlocutor and, in any case, it will be up to the company to demonstrate that the decisions are actually taken where the factory is indicated principal. The first version of the text proposed by the Commission helps the EDPB to justify this reading of the regulation, which explicitly provided for the possibility of having a main establishment even «if the decisions relating to the purposes, conditions and means of the processing of personal data they are not taken into the Union.” However, this part was eliminated and not replaced. For the EDPB, therefore, this is the indication that the legislator intended to limit the application of the benefit of the one-stop shop mechanism to those companies that make decisions on the purposes and means of processing in the Union and have the power to make them implement.
How the verification process would work
So what is the process to follow for this verification? The local authority will be able to request information from the companies that provides evidence of where the decisions are made and, once its analysis is finished, it will have to share it with colleagues present in the other states where the company operates, to verify that there are no objections and, in the event of a conflict, the EDPB can be asked to rule. This analysis must be carried out for the specific treatment subject to the investigation. However, and here lies the most interesting and disruptive conclusion, if from the evidence presented it was clear that decisions are taken and enforced not in a different state in the Union, but outside the territory of the Union, the one-stop mechanism shop would not apply, and any national authority would become competent once more for the processing operations that operate on its territory.
Ireland may lose its role for multinationals
This interpretation might create quite a few problems for multinational companies outside Europe, as it is not always easy to demonstrate that choices on the purposes and means of data processing are made in Europe and not in other latitudes. In the event that the authorities are not satisfied with the evidence offered, the multinationals might find themselves facing authorities other than the Irish one, which has always been the first choice for multinationals, which over the years has often been criticized for not being up to its role as a guarantor responsible for the control of Big Tech. This means a renewed relevance also for the Privacy Guarantor in Italy and for the national authorities of the other large EU countries towards large multinationals and a need for greater coordination between the European Authorities, an objective that the EDPB has set itself as primary and which is the subject of the proposed regulation under discussion in Brussels precisely on the procedures that concern multiple authorities involved.
#Privacy #rules #send #big #tech #crisis #Europe
2024-03-19 17:45:55
