Representing Main Establishment and Lead SA as a concept

[coolharsh55]

How to represent Main Establishment, Lead Supervisory Authority, and Concerned Supervisory Authority in the context of GDPR?

[coolharsh55]

Is "main establishment" a GDPR-only concept? In any case, GDPR has a specific definition of "main establishment" as defined in Art.4-16, which necessitates representing it within DPV-GDPR. The role of "main establishment" can be on a case-by-case basis. Two properties are needed to specify main establishments:

1. Establishment with hasEstablishment - to specify an establishment (no assertion is needed for being non-main)
2. MainEstablishment with hasMainEstablishment - to specify the main establishment

Similarly, GDPR also has specific roles for authorities (e.g. see Art.60), which are expanded from dpv:hasAuthority, and which are also defined on a case-by-case basis:

1. LeadSupervisoryAuthority with hasLeadSA to specify which is the lead supervisory authority
2. ConcernedSupervisoryAuthority with hasConcernedSA to specify another concerned supervisory authority
3. LocalSupervisoryAuthority with hasLocalSA to specify the local supervisory authority within some context e.g. jurisdiction of operation (source: Guidelines on the Lead Supervisory Authority (wp244rev.01) https://ec.europa.eu/newsroom/article29/items/611235/en)

[coolharsh55]

From Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), it is clear that establishment is distinct and broader than subsidiary - and is an EU concept (Directive 95/46/EC Recital 19) as it can include a branch or a local office rather than require a subsidiary:

While the notion of “main establishment” is defined in Article 4(16), the GDPR does not provide a definition of “establishment” for the purpose of Article 34. However, Recital 225 clarifies that an “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

Further from the same guidelines:

The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law.

GDPR Article 4-16a defines main establishments for controllers as:

the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

And GDPR Recital 124 specifies the use of main establishment to decide the role of lead supervisory authority:

Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority.

The concept SingleEstablishment should not be necessary as it refers to a single establishment, which should itself (directly) be associated using the Controller or Processor. Only when there are multiple establishments does the question of "main" establishment arise. A single establishment without being a controller, e.g. a branch, is not possible as it will always be associated with a company. If there are multiple branches in different jurisdictions, there will be a "main establishment".

From this, I suggest we model concepts as follows:

1. In DPV, have Company with subtypes SubsidiaryCompany and ParentCompany which are related using hasSubsidiary and isSubsidiaryOf.
2. In DPV-GDPR, have subtype of Entity as Establishment which is related using hasEstablishment to indicate the establishments of an organisation and their locations or jurisdictions.
3. In DPV-GDPR, a subtype MainEstablishment of Establishment, which is associated using hasMainEstablishment e.g. within a PersonalDataHandling instance, and its inverse relation isMainEstablishmentFor to link the company to specific processing or services.

[ghurlbot]

Comment by @coolharsh55 via IRC channel #dpvcg on irc.w3.org

• this was discussed in today's meeting and agreed to be added to GDPR.

[ghurlbot]

Comment by @coolharsh55 via IRC channel #dpvcg on irc.w3.org

concepts have been accepted in today's meeting and will be added to DPV-GDPR