From the list of issues, we have derived sixteen “core concepts”, which can provide solutions via high-level principles and rules.

Ideally, these concepts should be abstract enough to capture many problems, with a simple rule or principle that can be included in various provisions throughout the new Regulation.

When developing these principles, we have actively considered existing mechanisms in EU law, such as instruments in procedural rules, which seem to have many common features with GDPR procedures.

Concept 3: Improved and upfront clarification of jurisdictionand SA roles

The provisions of Article 4(22), 4(23), 55 and 56 GDPR have many factual and legal elements that need to be checked before the jurisdiction of a SA is clear. If this is done in detail, it can take years. If it is not done in detail, it allows for final decisions to be challenged on the grounds of the SA lacking jurisdiction.

Compared to other EU procedural laws (e.g. Brussels I Regulation) many elements of the GDPR require  deeper investigation. Examples of these elements include the objectively defined “main establishment”, the “center of decision making”, or the standard of “substantially affects or is likely to substantially affect data subjects in more than one Member State”. Lengthy consideration of many factors, such as the number of national and EU customers, is required in order to make a determination.

The objective approach removes the option to rely on mere declarations of parties. Rather vague terminology and aggressive forum shopping leads to unstable jurisdictions.

The objective approach also does not allow parties to simply agree on jurisdiction (even if some SAs try to get such commitments). This often leads to years of discussions over jurisdiction or disagreements between SAs and/or parties and conflicting decisions (cases are often “sent aboard” and the receiving SA does not treat them under Article 60 GDPR). In practice, controllers use this situation to ensure that no one challenges “forum shopping”, as the material claim of a complainant is blocked for years once a complainant brings up possible “forum shopping”.

An additional problem lies in long procedures and frequent changes in the structure of controllers (e.g. via mergers and acquisitions) and/or claims of controllers that decision-making was moved to another jurisdiction. The current view of the EDPB is that a change in the main establishment means that the LSA changes – which would mean that the entire procedure would have to “move” to another Member State and start anew. In many procedural laws, the jurisdiction is “locked” at an early stage to ensure that procedures do not get frustrated when parties move, merge, or otherwise try to disappear. While changing the system of an objective definition of the main establishment does not seem desirable, there should be a simple and fast European procedure to determine jurisdiction upfront. This could be achieved in a similar manner to the Brussels Regulations (with a clear sequence of claims of jurisdictions and decisions over such claims). There should be short deadlines to raise objections, leading to legal certainty even if factual details were not determined by the SAs. Even an “incorrect” SA could thereby act with legal certainty, as the duration for objections would have simply lapsed. This could avoid controllers “fleeing” the jurisdiction towards the end of an unfavorable procedure.


  • Minor interference with national procedural law.
  • Quick decision on jurisdictions and roles of a procedure, that cannot be changed thereafter.
  • Increased legal certainty and stable procedures.


  • Need to add a specific step in the procedure for the clarification of jurisdictions.
  • Changes in facts or false jurisdictional decisions can lead to the “wrong” SA deciding as LSA. This may lead to issues during the enforcement stage. However, these can be overcome via cross‑country enforcement options so that the LSA in Member State A can still enforce the final decision in Member State B.