Evaluating GDPR Exposure: The Establishment Test
The GDPR may apply to U.S. organizations that are deemed to have an establishment in an EU Member State. Neither the GDPR nor authoritative interpretations by courts precisely defines what constitutes an “establishment.” Instead, organizations must conduct a fact-based analysis to determine what, if any, business activity is being conducted in EU Member States.
Article 3(1) of the GDPR
The GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the [EU], regardless of whether the processing takes place in the [EU] or not.” Article 3(1), GDPR.
The term “establishment” is not defined in the GDPR, but we can glean some insight into how to apply this term from Recital 22(2)-(3), which state:
2Establishment implies the effective and real exercise of activity through stable arrangements. 3The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. (emphasis added)
The recitals reflect the fact that the term “establishment” can be used broadly and flexibly, and is not constrained by legal formalities, such as whether a company is formally registered in the EU or maintains a subsidiary or branch office in the EU. Instead, the GDPR suggests that this is a fact-intensive test to determine the existence of “effective and real exercise of activity through stable arrangements.”
Authoritative Interpretations of the Establishment Test
The language in this recital is drawn from Recital 19 of Directive 95/46/EC (the “Directive”), which used the concept of “establishment” to determine when EU Member State’s national data protection laws would apply. Accordingly, authoritative interpretations of the term in that context provide additional guidance on how to apply this word in practice.
EU Subsidiaries and Sales Offices
First, in the landmark 2014 Google Spain SL, Google Inc. v. AEPD, Mario Costeja Gonzalez (C-131/12) case, the CJEU found that an EU-based subsidiary with a sales office would be sufficient to bring a non-EU parent organization’s processing activities within the scope of EU data protection laws because the parent organization’s processing would be inextricably linked to the sales activities of the EU office. This case demonstrated that EU courts and regulatory agencies are not reluctant to pursue non-EU parent companies with subsidiaries in the EU.
Fact-Bases Analyses and the Minimal Establishment
Second, in the 2015 Weltimmo v. NAIH (C-230/14) case, the Court of Justice of the European Union (“CJEU”) used a flexible fact-based test to determine the existence of an establishment in Hungary. Specifically, the CJEU found that Weltimmo, a Slovakian company, could be found to have an establishment in Hungary if the supervisory authority could confirm the following tentative facts:
- (1) Weltimmo maintained a website targeting Hungarian prospective customers in the Hungarian language;
- (2) Weltimmo retained a representative in Hungary to represent them in court and collect debt from customers;
- (3) Weltimmo maintained a post office box in Hungary; and
- (4) Weltimmo maintained a Hungarian bank account.
The CJEU held that these facts, if confirmed, would demonstrate an establishment, i.e., that a “controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which [data] processing is carried out.” Weltimmo, Ruling 1. Notably, here the Slovakian company had no subsidiary, sales office, or brick-and-mortar location in Hungary. The Weltimmo ruling showed that EU courts are willing to employ fact-based analyses and find establishments even where the EU-based activity is minimal.
Standards for Evaluating Possible EU “Establishments”
Organizations can use the GDPR definition, recitals, and guidance from authoritative interpretations of the Directive to piece together an “establishment” test like the one below:
- (1) Is the organization registered in an EU Member State?
- (2) Does the organization have a subsidiary in the EU Member State?
- If so, does the organization process data in the context of the activities of its subsidiary?
- (3) Does the organization maintain other “stable arrangements” with local agents in the EU Member State, such as:
- Other contracted agents that act on behalf of the organization?
- Customer service agents?
- Postal Offices?
- Local sales offices or agents?
- Legal representatives?
- Financial institutions?
If, based on the answers to these questions, it seems that your organization may have an establishment – even a minimal one – in an EU Member State, then your organization may be subject to the GDPR. If it appears that there is no establishment in place, then your organization still should evaluate whether it meets the EU Customer Test.
If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.