Golden Data
Published in

Golden Data

What is an ‘establishment’ under EU law?

Image from page 119 of “Picturesque New London and its environs : Grofton, Mystic, Montville, Waterford, at the commencement of the twentieth century” (1901) — IABI

Establishment under EU law

The concept of ‘establishment’ under EU law is embedded in the foundational treatises of the European Union. As stipulated in the Treaty on the Functioning of the European Union and reinforced by the case-law of the European Court of Justice, the freedom of establishment and the freedom to provide services guarantee the mobility of businesses and professionals within the EU.

The right of establishment includes the right of any European to take up and pursue activities as a self-employed person and to set up and manage undertakings, for a permanent activity of a stable and continuous nature, under the same conditions as those laid down by the law of the Member State concerned regarding establishment for its own nationals.

Establishment under EU data protection law

Under EU data protection law, the concept of ‘establishment’ is relevant in two contexts:

(1) The territorial scope of EU data protection law: One of the main criterion to establish territorial scope is the “establishment” criterion (Article 3(1) of GDPR).

(2) The identification of the lead authority: Where multiple authorities have jurisdiction over the same matter, GDPR establishes a process to identify which authority should take the role of ‘lead authority’ that is based on where the ‘main establishment’ of the controller or processor is located.

(1) What is an ‘establishment’ for the purposes of determining territorial applicability of EU data protection law?

Key points:

(1) The concept of ‘establishment’ has been developed through CJEU case law

(2) An establishment exist where there is real and effective activity exercised through stable arrangements.

(3) Because the notion of ‘establishment’ under EU law is broad , the threshold can be quite low. However, the concept of establishment is not without limits.

GDPR does not provide a definition of ‘establishment’ but recital 225 clarifies that an “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” This wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term “establishment”, departing from a formalist approach whereby undertakings are established solely in the place where they are registered [1].

The notion of ‘establishment’ extends to any real and effective activity — even a minimal one — exercised through stable arrangements

  • Real and effective activity: A non-EU entity without a branch or subsidiary in a Member State may be an establishment where the entity is acting in a state member in a “real and effective’ manner’.
  • Stable arrangement: The degree of stability of the arrangements and the effective exercise of activities must be considered in the light of the specific nature of the economic activities and the provision of services concerned.

The threshold for the existence of an establishment can be quite low (especially when the activities concerned are the provision of services online) however it is not without limits:

  • In some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.
  • However it is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union.


A car manufacturing company with headquarters in the US has a fully-owned branch and office located in Brussels overseeing all its operations in Europe, including marketing and advertising.
The Belgian branch can be considered to be a stable arrangement, which exercises real and effective activities in light of the nature of the economic activity carried out by the car manufacturing company. As such, the Belgian branch could therefore be considered as an establishment in the Union, within the meaning of the GDPR.

(2) What is the ‘main establishment’ for the purposes of determining the competence of the EU supervisory authorities concerned?

EU data protection law defines “main establishment” as follows:

Article 4(16) of GDPR

(16) ‘main establishment’ means:
(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(see also Recital 26 and 124)

This definition is mainly relevant for the purpose of determining the competence of the supervisory authorities concerned.

See, Article 56 GDPR. See also, recitals 124, 125, 126, 127, 128 and WP29 Guidelines for identifying a controller or processor’s lead supervisory authority (16/EN WP 244))

End notes:

[1] See 6 in particular Google Spain SL, Google Inc. v AEPD, Mario Costeja Gonzalez (C-131/12), Weltimmo v NAIH (C- 230/14) and Verein fur Konsumenteninformation v Amazon EU (C-191/15) and Wirtschaftsakademie Schleswig- Holstein (C-210/16). See also CJEU, Verein fur Konsumenteninformation v. Amazon EU Sarl, Case C 191/15, 28 July 2016, paragraph 76.

Case law

C-131/12, GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 ( Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in the Member State are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that engine is the means enabling those activities to be performed.)

C-230/14, WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”) (Establishment: The concept of establishment must be interpreted broadly. The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor. The formalist approach whereby organizations are considered to be established solely in the place in which they are registered is not the correct approach. There is a 3-pronged test: (i) Is there an exercise of real and effective activity — even a minimal one? (ii) Is the activity through stable arrangements? and (iii) Is personal data processed in the context of the activity?)




A community of professionals who help answer each other’s questions about data laws.

Recommended from Medium

[Mace Magazine] Europe's Last Chance in Venezuela

Europe’s Crisis Will Deepen Post-Covid, Despite Openings

Government extends temporary ban on ammonium nitrate exports

New investment projects worth about 1.5 billion rubles have been approved in Crimea

During the second half year of 2019, unexpected pandemic which was caused by a coronavirus attacked…

Domestic Violence In France During COVID-19

Uyghur scholar learned about her brother’s nine-year sentence through the UN and Beijing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Golden Data Law

Golden Data Law

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.

More from Medium

Calendar Automation Issues: Expectation vs. Reality

Healthcare CRM Software: Peculiarities of Making a Good One | HackerNoon

Jira Foundational Knowledge