Processing by Entity Established in the EU under the GDPR

The GDPR uses the concept of "establishment" in the EU as a key factor for determining its territorial scope of application.

Text of Relevant Provisions

GDPR Article 3(1):

"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

GDPR Recital 22:

"Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

Analysis of Provisions

The GDPR applies to data processing activities that are carried out "in the context of the activities of an establishment" of a controller or processor in the EU. This is a broad concept that goes beyond just entities that are legally incorporated or registered in the EU.The key elements for determining if there is an "establishment" in the EU are:

1. "Effective and real exercise of activity" - There must be actual operations or activities taking place in the EU.
2. "Through stable arrangements" - The presence in the EU must have some degree of stability and permanence.
3. Legal form is not determinative - An establishment can exist regardless of the specific legal structure (e.g. branch, subsidiary, office).

As clarified in Recital 22, the mere legal incorporation in the EU is not sufficient or necessary to constitute an establishment. The GDPR takes a functional approach focused on the actual activities and presence in the EU.The EDPB guidelines provide further clarification that the threshold for "stable arrangements" can be quite low for online service providers. Even a single employee or agent in the EU could potentially constitute an establishment if they act with sufficient stability.

Implications

This broad interpretation of "establishment" means that many non-EU companies may be subject to the GDPR if they have some form of stable presence or activities in the EU, even if not formally incorporated there. Key implications include:

• Companies should carefully assess any operations, employees, or representatives they have in the EU to determine if they constitute an "establishment"
• Having an EU subsidiary or branch will likely qualify as an establishment, making the parent company subject to GDPR for processing related to those EU activities
• Online businesses may be considered established in the EU with minimal physical presence, if they have stable arrangements for offering services to the EU market
• Simply having a website accessible in the EU is not enough to create an establishment
• The establishment criterion applies separately to controllers and processors - a non-EU controller may be subject to GDPR by using an EU-based processor

In summary, the GDPR takes an expansive view of what constitutes an EU establishment in order to bring a wide range of data processing activities under its scope, going well beyond just entities formally registered or incorporated in EU member states.