EDPB Opinion 04/2024: What Really Counts as a “Main Establishment” Under the GDPR? 2025
The GDPR’s one-stop-shop mechanism is often described as one of the regulation’s biggest advantages for organizations operating across Europe. Instead of dealing with 27 different data protection authorities, a company can interact primarily with a single lead authority, provided it has a genuine “main establishment” in the EU. Yet that requirement has caused regular confusion, and in some cases deliberate stretching of the rules. The EDPB’s Opinion 04/2024 aims to resolve those ambiguities and make clear that a main establishment must be rooted in reality, not convenience.
Under the GDPR, the main establishment of a controller is generally the place where the company’s central administration in the EU is located, or where key decisions about the purposes and means of processing are actually made. Opinion 04/2024 reinforces that this must be the true center of data-related decision-making. An EU office can only qualify if it genuinely determines processing activities and has the authority to implement those decisions. A nominal office, a mailbox entity, or a subsidiary with no real influence does not count. If all decisive power sits outside the EU, perhaps in a US headquarters, then the company simply does not have an EU main establishment within the meaning of the GDPR, and the one-stop-shop mechanism does not apply. In that case, multiple national DPAs may become involved, each for their own territory. This is especially notable because some multinationals have tried to designate entities in countries such as Ireland or Luxembourg as their main establishment to benefit from a single regulator, even though the real strategic decisions were taken elsewhere. The EDPB now states unambiguously that such arrangements will not stand unless supported by facts.
Another key point in the Opinion is that the burden of proof lies with the organization. If a company wants an EU office to be considered its main establishment, it must be able to demonstrate that this office has genuine decision-making authority over data processing. This may involve providing internal governance documents, records of processing activities, organizational charts, meeting minutes, or privacy policies that clearly show where decisions are made and implemented. Supervisory authorities will not simply accept declarations at face value. They can scrutinize evidence, request supporting materials, and challenge a company’s claim if the reality appears inconsistent. Moreover, European DPAs will collaborate to assess a company’s structure and reach a common understanding of which authority, if any, should act as the lead. The objective is to prevent forum shopping and to ensure that the one-stop-shop mechanism operates as intended, with the correct authority overseeing cross-border cases.
For privacy professionals, and for anyone preparing for the CIPP/E exam, the takeaway is straightforward: a main establishment is the place where real control over data processing lies. If a company has several EU offices, the one that truly directs processing decisions is the main establishment. If none of the EU offices have such authority because the power sits outside the EU, then there is no main establishment for GDPR purposes and the one-stop-shop regime cannot apply. Opinion 04/2024 does not change the definition in GDPR Article 4, but it brings practical clarity to ensure it is not misused.
Ultimately, the EDPB’s message is simple: an EU main establishment must be more than an address on paper. It must function as a genuine command center for decisions about personal data. Organizations should therefore ensure their governance structures reflect reality, and be prepared to demonstrate where privacy leadership truly sits.
Source:
