The "processing by local establishment" factor is used to determine the applicability of the EU General Data Protection Regulation (GDPR) to data processing activities. This factor extends the GDPR's scope to processing activities carried out in the context of an EU establishment, regardless of where the actual processing takes place.

Text of relevant provision

GDPR Article 3(1) states:

"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

Original language: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

Analysis of provisions

The key elements of Article 3(1) are:

1. "Processing of personal data" - This refers to any operation performed on personal data, such as collection, storage, use, or disclosure.
2. "In the context of the activities of an establishment" - This phrase is crucial as it extends the GDPR's applicability beyond just processing that occurs within the EU. The processing must be linked to the activities of the EU establishment, but the processing itself can occur anywhere in the world.
3. "Establishment of a controller or processor in the Union" - An establishment implies "the effective and real exercise of activity through stable arrangements" as clarified in Recital 22. The legal form of the arrangement is not the determining factor.
4. "Regardless of whether the processing takes place in the Union or not" - This explicitly confirms that the location of processing is irrelevant if it's connected to an EU establishment's activities.

The European Data Protection Board (EDPB) guidelines further clarify that this provision should be interpreted broadly to ensure effective and complete protection of data subjects' rights. The EDPB recommends a case-by-case analysis to determine whether processing is carried out in the context of an EU establishment.

Implications

This factor significantly extends the GDPR's reach to non-EU companies that have some form of establishment in the EU. Key implications include:

1. Global applicability: A company with an EU office could be subject to GDPR for its worldwide data processing activities if they are linked to that office's activities.
2. Broad interpretation of "establishment": Even a single employee or agent in the EU could potentially trigger GDPR applicability if they act with sufficient stability.
3. Focus on context, not location: The physical location of data processing becomes less important than its connection to EU activities.
4. Case-by-case assessment: Companies must carefully evaluate their EU presence and how it relates to their data processing activities.

Examples:

• A US company with a sales office in the EU that processes customer data globally could be fully subject to GDPR.
• A non-EU online retailer with no physical presence in the EU would not fall under GDPR based on this factor alone (though other factors might still apply).

This factor ensures that companies cannot avoid GDPR obligations simply by moving their data processing outside the EU while maintaining business activities within the Union.