Skip to main content

The country of origin principle: a controller’s establishment wish list

Phil Lee
Data controllers setting up shop in the Europe are typically well aware of the EU’s applicability of law rules under Art. 4 of the Data Protection Directive (95/46).  In particular that, by having an

Data controllers setting up shop in the Europe are typically well aware of the EU’s applicability of law rules under Art. 4 of the Data Protection Directive (95/46).  In particular that, by having an “establishment” in one Member State, they are subject only to the data protection law of that Member State – even when they process personal information about individuals in other Member States.  For example, a controller “established” in the UK is subject only to UK data protection law, even when it processes information about individuals resident in France, Germany, Spain, and elsewhere. 

Referred to as the “establishment” test, this model is particularly common among US online businesses selling into the EU.  Without an EU “establishment”, they risk exposure to each of the EU’s 28 different national data protection laws, with all the chaos that entails.  But with an EU “establishment”, they take the benefit of a single Member State’s law, driving down risk and promoting legal certainty.  This principle was most recently upheld when a German court concluded that Facebook is established in Ireland and therefore not subject to German data protection law.

What does it mean to have a data controlling “establishment” though?  It’s a complex question, and one for which the Article 29 Working Party has published detailed and technical guidance.  In purely practical terms though, there are a number of simple measures that controllers wanting to evidence their establishment in a particular Member State can take:

1.  Register as a data controller.  It may sound obvious, but controllers claiming establishment in a particular Member State should make sure to register with the national data protection authority in that Member State.  Aside from helping to show local establishment, failing to register may be an offence.

2.  Review your external privacy notices.  The business should ensure its privacy policy and other outward-facing privacy notices clearly identify the EU controller and where it is established.  It’s all very well designating a local EU subsidiary as a controller, but if the privacy policy tells a different story this will confuse data subjects and be a red flag to data protection authorities.

3.  Review your internal privacy policies.  A controller should have in place a robust internal policy framework evidencing its controllership and showing its commitment to protect personal data.  It should ensure that its staff are trained on those policies and that appropriate mechanisms exist to monitor and enforce compliance.  Failure to produce appropriate policy documentation will inevitably raise questions in the mind of a national data protection authority about the level of control the local entity has over data processing and compliance. 

4.  Data processing agreements.  It’s perfectly acceptable to outsource processing activities from the designated controller to affiliated group subsidiaries or external vendors, but controllers that do so must make sure to have in place appropriate agreements with their outsourced providers – within those providers are intra-group or external.  It’s vital that, through contractual controls, the designated controller remains in the driving seat about how and why its data is used; it mustn’t simply serve as a ‘rubber stamp’ for data decisions ultimately made by its parent or affiliates.  For example, if EU customer data is hosted on the CRM systems of a UK controller’s US parent, then arm’s length documentation should exist between the UK and US showing that the US processes data only as a processor on behalf of the UK.

5.  Appoint data protection staff.  In some territories, appointing a data protection officer is a mandatory legal requirement for controllers.  Even where it’s not, nominating a local employee to fulfill a data protection officer (or similar) role to oversee local data protection compliance is a sensible measure.  The nominated DPO will fulfill a critical role in reviewing and authorizing data processing policies, systems and activities, thus demonstrating that data decisions are made within the designated controller.  He or she will also provide a consistent and informed interface with the local data protection authority, fostering positive regulatory relationships.

This is not an exhaustive list by any means, but a controller that takes the above practical measures will go a long way towards evidencing “establishment” in its national territory.  This will benefit it not just when corresponding with its own national data protection authority but also when managing enquiries and investigations from overseas data protection authorities, by substantially reducing its exposure to the regimes of those overseas authorities in the first place.

Sign up to our email digest

Click to subscribe or manage your email preferences.