What is an Establishment?
An establishment is a place of business for an organization in the EU. If an establishment is located within the European Union, the GDPR applies to it. The legal form of business arrangement does not matter. The important question is, “Does the business engage in the effective and real exercise of activity through stable arrangements?”
If a controller organization has more than one place of business, then their main establishment, for the purpose of the GDPR and determination of their lead supervisory authority, is where decisions on the purposes and means of the processing of personal data are taken, or the place of central administration in the EU. The presence or absence of data processing or technical means and technologies for processing are not determinative of the main establishment.
Cross-border processing’ means either processing of personal data which takes place in the context of the activities of establishments in more than one Member State or processing of personal data in a single establishment of a controller or processor but which substantially affects data subjects in more than one Member State.
See GDPR, Article 4, and Recitals 22, 23, and 36