Under the GDPR, the main establishment of a controller or processor is the place of its central administration in the European Union, or alternatively the location where decisions about the purposes and means of processing are made and implemented. This concept is crucial for the one-stop-shop mechanism, as it determines which data protection authority serves as the lead supervisory authority for cross-border processing activities.
Correctly identifying the main establishment has significant practical implications for multinational organisations. It determines where complaints are initially handled, which authority leads investigations, and which national procedural rules apply. Organisations must be able to demonstrate where effective decision-making about data processing takes place, which may differ from their corporate headquarters.