PRIVACY - Privacy Management > Appendix: GDPR in Details > Territorial Scope > Establishment Principle in the Directive
Establishment Principle in the Directive
Directive 95/46/EC establishes in Article 4 what is the applicable national law by using the so-called "establishment principle"1:
an established company (ie, carrying out activities with a permanent establishment) in one country of the European Union observes the rules on the protection of personal data of the State in which it is established (even if it processes data of individuals of nationalities different from its own);
a company established in the territory of several EU countries must take the necessary measures to ensure compliance with the obligations imposed by applicable national law on each of these establishments.
Establishment in Different States 
If a Controller has establishments in more than one Member State, it must ensure that each of them meets the requirements of applicable national law, in accordance with the "territoriality principle". This means that the principle of attraction of the entire data protection chain to the law of the State where the data controller is based, ceases to have effect when a permanent establishment is located in another EU Member State. In fact, on the basis of this principle of territoriality, if an Italian company or "foreign company" has establishments with head offices on the territory of several EU Member States, each of them - for the processing operations related to it (that is to say, within the scope of the activities carried out) - must be subject to the national law of the referenced State. With regard to electronic commerce, Directive 2000/31/EC recital (19) specifies that «in cases where a provider has several places of establishment it is important to determine from which place of establishment the service concerned is provided; in cases where it is difficult to determine from which of several places of establishment a given service is provided, this is the place where the provider has the centre of his activities relating to this particular service.».
Company Chain 
The territorial criterion is confirmed by Recital (18) of Directive 95/46/EC which applies the national law of the Controller established in a Member State also to the processing activities carried out by entities acting under the direct authority of the Controller (eg Processor), wherever these operations are actually realized. In view of this, if the "foreign company" assumes the role of data controller and is subject to the national law of a Member State of the Community, any support activities carried out by a legal entity established in another Member State will be subject to the law of that Community State, presumably according to the instructions given by the same Controller - foreign company.
Reference 
1. Recital (19) of Directive 95/46 states: «establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities»