The concept of "establishment" involves the actual exercise of activities through a stable organization. Article 4, paragraph 16 provides a precise definition of 'principal establishment' in relation both to the Controller and to the Processor.

In order to have an establishment, the activity in question - in our case the processing operation - must be carried out in the territory of the State. The coincidence of the place of establishment with that of the exercise of the activity is also clearly reflected in Directive 2000/31/EC, which reads as follows: « the place of establishment of a company providing services via an Internet website is not the place at which the technology supporting its website is located or the place at which its website is accessible but the place where it pursues its economic activity;». [see dir. 2000/31, Recital (19)]. The reference to the establishment is factual in nature, in the sense that it «implies the effective and real exercise of activity through stable arrangements» while «The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.»2. This concept was reiterated by Art29WP, which recalled how it should be located at the place where the Controller actually and effectively carries out his activity [see wp56].

Art29WP believes that the requirement of the establishment shall be considered as satisfied if the company has been established for a specified period of time. In the field of data protection, it does not appear that the notion of establishment necessarily presupposes that the requirement of stability is linked to an indefinite period of permanence. The ease and speed of computer and telematic operations can, in fact, enable the carrying out of significant activities in geographically remote areas and for limited periods of time, without the need for special infrastructures or investments at the site of actual processing. In any case, the rights of data subjects would be exposed to potential risks even in such circumstances. Therefore, in the field of data protection, the apparent attenuation of the notion of permanence within the definition of stability may find these justifications.

1. Article 3.1 Regulation 2016/679 which rephrases article 4.1 (a) Dir. 95/46/EC.

2. Recital (22) Regulation 2016/679