Main Establishment

Under GDPR, the place in the EU where an organization makes decisions about the purposes and means of processing personal data. For organizations with operations in multiple EU member states, the main establishment determines which supervisory authority serves as the lead authority under the one-stop-shop mechanism. The main establishment is typically where central administration is located and strategic decisions are made, not necessarily the largest office or headquarters. Factors include where senior management sits, where data protection decisions occur, and where effective and real management happens. For processors, the main establishment is where central administration is located. The main establishment concept matters because it determines supervisory authority jurisdiction, where complaints are filed, which authority handles investigations, and compliance coordination. Organizations should assess and document their main establishment, recognize it can change if operations shift, and understand implications for regulatory relationships.