CNPD (Portugal) - Deliberação 2024/279

From GDPRhub
Revision as of 13:35, 14 August 2024 by Fb (talk | contribs) (Fb moved page CNPD (Portugal) - Deliberacao 2024/279 to CNPD (Portugal) - Deliberação 2024/279 over redirect)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD - Deliberação 2024/279
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 4(16)(a) GDPR
Article 4(23)(b) GDPR
Article 22(4) GDPR
Article 51(1) GDPR
Article 56(1) GDPR
Article 60(1) GDPR
Type: Investigation
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: n/a
Parties: Worldcoin Foundation
National Case Number/Name: Deliberação 2024/279
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
English
Original Source: Deliberação 279/2024 (in PT)
DELIBERATION/2024/279 (in EN)
Initial Contributor: APC

A few months after the DPA's previous order to temporarily stop the Worldcoin Foundation processing activities in Portugal, it identified the Bavarian DPA in Germany as the Lead Supervisory Authority and forwarded all relevant findings to it.

English Summary

Facts

In its Deliberation 2024/137 of 25 March 2024, the Portuguese DPA (CNPD) issued a temporary ban on the Worldcoin Foundation's (the controller) processing of biometric data within Portuguese territory for a period of 90 days. The CNPD found that the Worldcoin Foundation had infringed Articles 5(1)(a), 7(3), 9(1), and 13(2)(c), and 17(1) GDPR in processing high-definition photos of irises, eyes and faces.

Within said 90 days, the CNPD received an administrative challenge from Worldcoin Foundation arguing that it was established in Bavaria, Germany and thus the Bavarian DPA (BayLDA) was the lead supervisory authority in this case.

Holding

The CNPD recognised BayLDA as the lead supervisory authority and declared itself as an interested supervisory authority pursuant to Article 44(22) GDPR.

It noted that the company that launched Worldcoin, Tools for Humanity, was co-founded by researchers from Bavaria and has its only establishment in Erlangen, Bavaria. The controller had been registered with the BayLDA as early as March 2021.

The CNPD accordingly sent all relevant documents and information to BayLDA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

DELIBERATION/2024/279

I. REPORT 
1. Under Deliberation/2024/137, of March 25, 2024, the National Data Protection Commission (CNPD) applied an urgent corrective measure to limit processing, in which it ordered the Worldcoin Foundation to, within a maximum period of 24 hours, if he refrained from collecting iris, eye and face data, within the national territory, for a period of 90 (ninety) days.

2. The CNPD acted to carry out the tasks set out in subparagraphs a), h) and i) of paragraph 1 of article 57 and subparagraph b) of paragraph 1 of article 58 of Regulation (EU) 2016/ 679, of April 27, 2016 - General Data Protection Regulation (GDPR) -, in conjunction with the provisions of article 3, no. 2 of article 4 and subparagraph b) of no. 1 of article 6, all of Law no. 58/2019, of August 8, which implements the GDPR (GDPR Implementation Law) in the domestic legal order and under the correction powers provided for in no. 2 of article 58 of the GDPR.

3. This Commission acted following several reports received and carried out evidentiary diligence, having established that the WorldCoin Foundation was processing biometric data (images of the iris, eyes and face), on a large scale, for different purposes, including highlights the creation of a proof of digital identity, called World ID, and the fact that the provision of this biometric data, by citizens, is an essential condition for receiving a value in cryptocurrency, called Worldcoin (WLD).

4. Notified of the content of Deliberation/2024/137, the Worldcoin Foundation, in accordance with the provisions of articles 184 to 191 of the Code of Administrative Procedure, presented an Administrative Complaint, where it alleged, in short, that: 

a) Has it been in dialogue with the control authorities, “in particular, with the Bayerisches Ladesamt für Datenschutzaufsicht (“BayLDA”), the control authority of the state of Bavaria, in Germany, which, as will be seen in greater detail below, is the control authority main control [Underlined in the original.] with regard to the Worldcoin Project […]”; 

b) “the Worldcoin Foundation responded to all requests for information that, since August 2023, were presented to it by the CNPD”;

c) “sent to the CNPD, on April 2, 2024, a set of information about corrective measures that it would apply to the Worldcoin Project”; 

d) “It is also in this spirit of collaboration that the Worldcoin Foundation” brings to the CNPD “some clarifications regarding the facts that supported the CNPD’s decision to temporarily limit the processing of personal data in Portugal”; 

e) It also brings “new facts, resulting from changes introduced in the project”; “[w]hich, he believes, will be relevant for the CNPD to conclude that the measure of temporary limitation of the processing of the aforementioned data proves to be unnecessary and disproportionate” “[s]hould be withdrawn accordingly.”;

f) “intend, with this Complaint, to essentially demonstrate the reasons that make the precautionary measures applied by the CNPD unnecessary - and other measures that, eventually, could be applied in the future -, not intending to focus, at this moment, on the discussion of possible compliance or non-compliance with standards set out in the GDPR.”; 

g) “The Worldcoin Foundation is a non-profit organization, incorporated on 10/31/2022, in the Cayman Islands.”;

h) The Worldcoin Foundation, “[is] an organization that has no owners or shareholders”;

i) “Since the launch date of the Worldcoin Project, on 24.07.2023, the Worldcoin Foundation has assumed the role of controller for personal data processed in relation to World ID”; having “[de]fining the purposes and means of the respective processing activities.”;

j) “TFH is responsible for the processing not only with regard to data processed within the scope of the World App, but also with regard to personal data relating to World ID collected before July 24, 2023, that is, during the testing phase beta.";

k) “only with the launch of Worldcoin, on 7/24/2023, did such data begin to be collected and processed on behalf of the Worldcoin Foundation and in accordance with its instructions.”;

l) “TFH is responsible for processing personal data relating to the World App and data relating to World ID that have been collected before” [as of July 24, 2023], “[being] a subcontractor of the Worldcoin Foundation only regarding personal data relating to World ID that were collected after the launch of Worldcoin on July 24, 2023.”;

m) “The Worldcoin Foundation acquired, in September 2023, a company based in Bavaria, Germany, more specifically at Henkestraβe 91, 91052 Erlangen – ZipCode GmbH ("ZipCode")”;

n) “ZipCode is fully owned by the Worldcoin Foundation, being its subsidiary”;

o) “ZipCode actively participates in data processing operations carried out by the Worldcoin Foundation, acting as one of the parties involved in the use of SMPC encryption”;

p) “With regard to this processing of personal data, ZipCode is a subcontractor of the Worldcoin Foundation”;

q) the Worldcoin Foundation signed a Data Processing Agreement with ZipCode on 03/14/2024, with a view to regulating the processing of personal data carried out on its behalf within the scope of the services provided”;

r) “The facts set out above are relevant to understand the reason that led the Bavarian State Control Authority - BayLDA - to assume itself as the main control authority, considering ZipCode as the sole establishment of the Worldcoin Foundation in the European Union. ”;

s) “the maintenance of the provisional measure adopted through the Deliberation, and until a final decision is adopted, namely within the institutional framework of the role of the various control authorities mentioned at the beginning of this request, prevents [worldcoin] from continuing its activity in Portugal, and it intends[…] to do so, resuming, as quickly as possible, its operation in Portuguese territory, which will now adopt the corrective measures identified above, without prejudice to all availability to continue[…] to collaborate with the CNPD and other control authorities.”

t) “Requests the revocation of deliberation/2024/137, of March 24, 2024, which determined the temporary limitation of the processing of biometric data in the national territory for a period of 90 (ninety) days.”

5. Collected 9 documents.

II. RATIONALE

i. Previous question
6. From the elements contained in the file, of interest for the decision, it was found that:

7. On August 11, 2023, following a mandate from the National Data Protection Commission, dated the same day, an inspection was carried out to verify, in the national territory, the processing of personal data carried out by the WorldCoin Foundation, by World Assets, Ltd., by Tools for Humanity Corporation and its affiliates, or by any other company involved in the Worldcoin Project with relevance to the processing of personal data, within the scope of the attributions and powers set out in no. 1 of article 58 of the GDPR and the combined provisions of article 3, no. 2 of article 4 and subparagraph b) of no. 1 of article 6, all of Law no. 58/2019, of August 8.

8. Following this inspection carried out on August 11, 2023, within the scope of Process AVG/2023/1205, on August 23, an email message was sent to the Worldcoin Foundation, through its Regional Growth Manager – Europe, for the address Ricardo.macieira@worldcoin.org, in which the following question came first. “Does the “Worldcoin Foundation” have any establishment in the EU/EEA? If so, send proof of identification, which includes contact details. If not, have you appointed a representative within the meaning of Article 27 of the GDPR? Send proof of identification, including your contact details.”

9. From the response received, and the documents sent being evaluated, there is no reference to the existence of the company ZipCode GmbH.

10. On March 6, 2024, a request was received at the CNPD in which information appears indicating that the Bayerisches Landesamt für Datenschutz ("BayLDA") would be the “main data protection authority of the TFH”. 

11. On March 25, 2024, the CNPD adopted Deliberation/2024/137 ordering the “Worldcoin Foundation to, within a maximum period of 24 (twenty-four) hours, proceed with the temporary limitation of the processing of biometric data, regarding the processing operation of collecting data on the iris, eyes and face, in the national territory (Continental Portugal, Autonomous Region of Madeira and Autonomous Region of the Azores), for a period of 90 (ninety) days.” 

12. On April 2, 2024, a communication was received, addressed to the CNPD, sent by Worldcoin's Data Protection Officer, Jannick Preiwisch, via the email address dpo@worldcoin.org, in English. 

13. After a request to send this information in Portuguese, the language of the process, it was sent to the CNPD and its analysis revealed that, in point 5., it is stated that “under the terms of article 56, No. 1 GDPR, in the EU, BayLDA is the main project supervisory authority. The basis for his leadership status seems clear. The initial participating company that launched Worldcoin, Tools for Humanity, was co-founded by a group of former researchers at the Max-Planck Institute in Erlangen, Bavaria. Tools for Humanity, which still provides services to the project, has long had its only EU establishment in Erlangen and was registered with BayLDA as recently as March 2021. When administration of the project passed to the Worldcoin Foundation in mid-2023 , the Foundation also hosted its only EU establishment, ZipCode GmbH ("ZipCode"), in Bavaria. ZipCode provides software development services and plays a decisive role in the processing of project personal data. Without the contributions of these EU establishments, both in terms of system design and practical implementation, the project's processing of personal data would not be taking place in its current form.”

14. On April 15, 2024, the “Administrative Complaint” of CNPD Deliberation/2024/137 was presented. 

15. Of this “Administrative Complaint”, in point 2., it is stated that there is a main control authority, namely it is argued that the “Bayerisches Ladesamt für Datenschutzaufsicht (“BayLDA”), control authority of the state of Bavaria, in Germany , […] is the main supervisory authority [Underlined in original] with regard to the Worldcoin Project pursuant to Article 56(1) GDPR.”. 

16. In order to give substance to this statement, it is stated in point 29 of the “Administrative Complaint” that “[t]he Worldcoin Foundation acquired, in September 2023, a company based in Bavaria, Germany, more specifically in HenkestraBe 91 , 91052 Erlangen – ZipCode GmbH ("ZipCode").

17. In point 38 of the “Administrative Complaint” it is stated that the “Bavarian State Control Authority - BayLDA [assumed itself] as the main control authority, considering ZipCode as the sole establishment of the Worldcoin Foundation in the European Union .”

18. In a request received by the CNPD on April 17, 2024, a translation of a response sent to Bayerisches Landesamt für Datenschutz ("BayLDA") is sent, which states that BayLDA asked “what the role of zipCode GmbH was, the Foundation's subsidiary in Bavaria - in fact, the Foundation's only establishment in the European Economic Area (EEA). In summary, ZipCode has played a central role in designing the Foundation's strategy with respect to World ID capabilities (goals) and in designing the technical system to execute that strategy (means).” “In particular, ZipCode has made an essential contribution to the Orb verification process, including the associated data processing. At a strategic level, ZipCode management was fully involved in all relevant decisions regarding data processing in the context of Orb checks. In recent months, this was especially the case with the design and architecture of the new SMPC configuration, in which ZipCode participated and actively contributed to dedicated research, design and planning sessions. The new system design would not have been adopted if ZipCode had not confirmed that it would be an effective way to achieve the project objectives.” “More specifically, ZipCode's contribution also manifests itself in terms of writing and reviewing the technical specifications that are used in the open-source World ID protocol and the World ID Orb verification engine. These contributions translate into the fact that, this year alone, ZipCode has already registered 134 unique code contributions on GitHub for the Worldcoin infrastructure. Additionally, ZipCode Management participates in several recurring meetings that determine the technology specifications for the Orb verification process [e.g., daily SMPC sync (30 minutes), weekly engineering sync (2 hours), weekly leadership sync ( 2 hours)]. This shows that the specifications for the technical configuration of the current Orb verification process were developed by the Worldcoin Foundation in such close collaboration with ZipCode that the individual contributions can no longer be separated.” “In short, ZipCode’s activities are inextricably linked to all aspects of the Orb verification system, including the associated processing of personal data. The code used in the unique characteristics services and the World ID test allows Orb verification to be performed, and the processing specifications were developed in close collaboration. It is not an exaggeration to say that the system would be fundamentally different if ZipCode had not been involved in its design.”

19. Further on it is stated that “the Worldcoin Foundation has decided to implement its part of the data processing for the configuration of SMPC through its only establishment in the EEA, ZipCode.” and that “The original and updated versions of the SMPC system were, to a large extent, designed by ZipCode, further highlighting ZipCode’s essential role in determining the means and purposes of data processing.”

20. From the statements above, namely the statement that the “Bayerisches Landesamt für Datenschutz (“BayLDA”), would be the “main data protection authority of the TFH”. And after the statement that “Tools for Humanity, which still provides services to the project, has long had its only EU establishment in Erlangen and was registered with BayLDA as recently as March 2021. When the administration of the project passed to Worldcoin Foundation, in mid-2023 the Foundation also hosted its only EU establishment, ZipCode GmbH ("ZipCode"), in Bavaria. ZipCode provides software development services and plays a decisive role in the processing of personal data for the project.”, the question arose as to whether there is more than one establishment in Europe, as there are Tools for Humanity BmgH and ZipCode GmbH, as well as whether the role that the company ZipCode GmbH plays is, despite being identified as a “single establishment in the EU”, that of Representative within the meaning of paragraph 17) of Art. 4 of the GDPR.

21. Thus, on May 9, 2024, the CNPD questioned the Worldcoin Foundation to clarify to the CNPD whether ZipCode GmbH acted as a representative of the Worldcoin Foundation, in which case it should attach the “written document designating it, or whether the decisions regarding the purpose and means of the above-mentioned processing are taken by ZipCode GmbH.”

22. On May 14th, a new application was submitted by Worldcoin, in which no reference was made to the capacity in which ZipCode GmbH operated.

23. On May 17th, in response to the request for clarification of ZipCode's role, it is stated by the Worldcoin Foundation that ZipCode does not act as a representative of the Worldcoin Foundation, nor does it determine the purposes and means of processing related to World ID.

24. It is stated, as clarified in the response sent to Bayerisches Landesamt für Datenschutz ("BayLDA"), that the Worldcoin Foundation questioned “what was the role of zipCode GmbH, the Foundation's subsidiary in Bavaria”, where it states that zipCode GmbH is “in fact the Foundation’s only establishment in the European Economic Area (EEA)”.

25. In view of the information collected and based on the analysis carried out, it is necessary, before any other step and as a preliminary question, to assess whether it is permissible, in light of the rules present in the GDPR, to consider ZipCode GmbH as a “single establishment in the EU” and consequently the Bayerisches Landesamt für Datenschutz ("BayLDA"), as “main supervisory authority”.

i) ZipCode GmbH being the “Single Establishment in the EU”
26. From the various responses and requests attached to the case file, it is stated that:

i. Since July 24, 2023, the Worldcoin Foundation has acted as data controller for data processing operations carried out within the scope of the Worldcoin project;

ii. On September 1, 2023, the Worldcoin Foundation acquired the entire share capital of ZipCode GmbH; [See: translation of document no. 1, attached to the application sent to the CNPD on June 11, 2024 (pages 2335 to 2422 of the file ).]

iii. ZipCode GmbH is a subsidiary and sole establishment of the Worldcoin Foundation in the European Economic Area (EEA);

iv. ZipCode GmbH plays a central role in designing the Worldcoin Foundation's strategy on World ID capabilities and its technical implementation;

v. ZipCode GmbH made a significant contribution to the Orb verification process; 

saw. At management level, ZipCode GmbH is an integral part of all relevant processing decisions in the context of the Orb verification process;

viii. ZipCode GmbH is also involved, in particular, with regard to the design of the new Secure Multiparty Computation (SMPC) system configuration;

viii. ZipCode GmbH actively participated and contributed to specific system research, design and planning (SMPC) meetings;

ix. The new system design would not have been adopted without the input of ZipCode GmbH, who defined the SMPC system as an effective means of achieving the project objectives;

x. ZipCode GmbH has provided 134 code contributions on Github for the Open Source World ID Protocol and the World ID Orb verification engine, as of April 2024;

xi. At the management level of ZipCode GmbH, he participates in recurring meetings regarding the specification of the Orb verification process;

xii. The system would be fundamentally different if ZipCode GmbH had not participated in the project;

xiii. ZipCode GmbH is now also actively involved in data processing by the Worldcoin Foundation as part of the configuration of the SMPC and in this context, ZipCode GmbH acts as a subcontractor on behalf of the Worldcoin Foundation.

27. From the analysis of the process, the evidence and the statements received, it appears, therefore, that the Worldcoin Foundation declared in point 29. of the Administrative Complaint to have acquired ZipCode GmbH in September 2023, stating in point 30 that such company was acquired in its entirety, as is also apparent from statements made in the case at another location, as explained above.

28. In view of the need for verification and probative demonstration of the alleged facts, as they are essential to this decision-making determination, the CNPD decided, on May 29, 2024, to notify the Worldcoin Foundation, through its representative, “to proceed with the joining of the files documentary proof of the following statement made in the text of the Complaint: «The Worldcoin Foundation acquired, in September 2023, a company based in Bavaria, Germany, but specifically in HenkestraBe 91, 91052 Erlangen – ZipCode GmbH ("ZipCode")»,

29. In response to such CNPD deliberation, received on June 11, 2024 via request, documentary proof is sent by the Worldcoin Foundation, namely a certified copy of the notarized certificate of the acquisition of the share capital of the company ZipCode GmbH on September 1, 2023 , also adding, in particular, Reg. Doc. 2252/A/2023, signed by Prof. Dr. Axel Adrian, Notary in Nuremberg, with office at Königstraβe 21, 90402 Nuremberg, as well as Doc. 2997/A/2023, with the “List of partners”, and whose translation into Portuguese (added to the file later ), with a liability agreement signed by Susana Mendes, certified translator - which results in the WorldCoin Foundation acquiring the company ZipCode GmbH, under the terms described (cf. Documents attached to pages 2335 to 2422 of the file). 

30. The same conviction/demonstration also results from the content of the documents sent by its counterpart BayLDA to this Commission, namely the excerpt from the German commercial register referring to ZipCode GmbH, which lists the company WorldCoin Foundation as its sole shareholder, certified by a notary (cf. . Documents attached to pages. 2238 to 2249 of the records). 

31. Given that the company ZipCode GmbH is wholly owned by the Worldcoin Foundation, it is necessary to evaluate the concept of establishment. 

32. Now, the concept of establishment is not expressly defined in the GDPR; Despite this, Recital 22, when addressed to the term and from which hermeneutical support can be drawn, states that “Any processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located in the Union must be carried out in accordance with this Regulation, regardless of whether the processing itself is carried out in the Union. Establishment presupposes the actual and actual exercise of an activity based on a stable installation. The legal form of such an establishment, whether it is a branch or a subsidiary with legal personality, is not a determining factor in this context.” 

33. That said, the understanding that has been addressed to fulfill the concept of “establishment” has been fulfilled as the exercise of a real and effective activity, even if minimal, through a stable installation [See Ac. C- 230/ 14, of the CJEU, paragraph 29 et seq.], in the terms that will be better explained in the section below. 

34. As best stated in the Judgment of 1 October 2015 — Case C-230/14 of the CJEU [https://eur-lex.europa.eu/legal-content/PT/TXT/PDF/?uri=CELEX: 62014CJ0230], referring to the Advocate General's conclusions, it is necessary to take into account the existence of “a flexible conception of the concept of establishment, which rules out any formalistic approach according to which a company can only consider itself established in the place where it is registered. Therefore, to determine whether a company responsible for data processing has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country in which it is registered, it is necessary to assess both the degree of stability of the installation as the reality of carrying out activities in that other Member State, taking into account the specific nature of the economic activities and services provided in question. This understanding is especially valid for companies dedicated to offering services exclusively on the Internet.”

35. It goes on to argue that “it is, in particular, important to consider, given the objective pursued by this directive, which consists of ensuring effective and complete protection of the right to private life and preventing legislation from being circumvented, that the presence of a single representative may, in certain circumstances, be sufficient to constitute a stable installation if he acts with a sufficient degree of stability through the means necessary to provide the specific services in question in the Member State in question.” and that, “to achieve the aforementioned objective, it is necessary to consider that the concept of “establishment”, within the meaning of Directive 95/46, covers any real and effective activity, even if minimal, carried out through a stable installation.”.

36. Therefore, from the facts that have since been established, which are reproduced and are set out in point 26 et seq. of this piece, it is possible to state that ZIPCode GmbH presents itself as the – unique – establishment of WorldCoin in space European, being a company wholly owned by WorldCoin, and dedicates its activity exclusively to the scope of data processing of this person responsible. 

ii) Cross-border treatments and the concept of establishment. 
37. Cross-border processing under the GDPR refers to the processing of personal data by a controller or a processor that takes place between different countries or regions. This may involve transfer, access, storage or any other operation relating to personal data that crosses geographical borders (cf. Article 4(23) GDPR).

38. This article covers two types of processing operations, both gravitating around the concept of “establishment”: “a) The processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller the controller or a processor in the Union, if the controller or processor is established in more than one Member State; or b) The processing of personal data that occurs in the context of the activities of a single establishment of a controller or a subcontractor, but which substantially affects, or is likely to substantially affect, data subjects in more than one State. Member;"

39. As mentioned above, this concept is not expressly defined in the GDPR, having come to understand that the concept of “establishment” must be fulfilled as the exercise of a real and effective activity, even if minimal, through an installation stable. [See Ac. C- 230/ 14, of the CJEU, paragraph 29 and ss]

40. This meaning is particularly relevant for the purposes set out in subparagraph b), paragraph 23), of article 4 of the GDPR, referred to above, since, from its reading, it will be clear that we are dealing with cross-border processing , with the effects set out therein, when the processing of personal data occurs in the context of the activities of a single establishment of a controller. 

41. Data processing must also be carried out in the context of the activities of that establishment. 

42. Here again, the CJEU considered that even if the European reference establishment does not play a role in the data processing itself, such processing should be considered to be carried out in the context of activities of the establishment in question when there is an inseparable link between the activities of the establishment, and the treatment in question [See Ac. of CJEU C- 31/ 12, Google Spain, paragraph 56 et seq.]. 

43. Finally, it is also required that the processing substantially affects, or is likely to substantially affect, data subjects in more than one Member State; 

44. Now, it has been demonstrated that there is collection and processing of biometric data by Worldcoin in several States of the European Union, and if these treatments are carried out in more than one Member State, this requirement will necessarily be met. , to the extent that the treatments in question affect data subjects, in a similar way, in more than one Member State, where WorldCoin is operating.

iii) The Main Control Authority 
45. Having reached the conclusion that we are dealing with cross-border processing, there is a need to clarify the concept of main supervisory authority. 

46. Now, the identification of a main supervisory authority is only relevant when a controller or subcontractor carries out cross-border processing of personal data, which is the case. Simply put, a “lead supervisory authority” is the authority with primary responsibility for dealing with a cross-border data processing activity and which will coordinate any investigation, involving “interested” authorities.

47. Evaluating what paragraph 16) of article 4 of the GDPR tells us, subparagraph a) refers to a controller with establishments in several Member States, defining “Main Establishment” as “the place where its central administration is located in the Union”.

iv) The Main Establishment and the Single Establishment, of the Data Controller, in the EU 
48. As we are faced with a Data Controller who has only one establishment in the EU/EEA, it is necessary to understand, in conclusion, which regime should be applied. 

49. It is clarified in “Opinion 04/2024” [Accessible at: https://www.edpb.europa.eu/system/files/2024-02/edpb_opinion_202404_mainestablishment_en.pdf] of the European Data Protection Board (EDPB) that this Opinion “only” focuses on the concept of “main establishment” within the meaning of Article 4(16)(a) of the GDPR, which presupposes the existence of several establishments (see in particular paragraph 37 ). 

50. In other words, Opinion 4/2024 of the EDPB only focuses on the analysis referring to subparagraph a), of subparagraph 16), of article 4, of the GDPR, that is, it is argued that being in the presence of a Responsible for processing that has more than one establishment in the EU/EEA, it must be understood that when decisions about purposes and means, as well as the power to implement these decisions, are exercised outside the Union, there should not be a main establishment under the terms of the subparagraph a), of paragraph 16), of article 4, of the GDPR, and the one-stop shop mechanism should not apply, but, the Opinion itself further clarifies, that this does not prejudice other cases in which the one-stop shop mechanism can be applied, as happens when there is a single establishment of a controller in the Union [See footnote no. 30 of Opinion 4/2024, of the EDPB, mentioned above.].

51. This understanding has already been supported by the CJEU in the case Wirtschaftsakademi Schkswig-Holstrin, as well as in those that became known by the cases Google vs. Spain and Facebook where the differences between having or not having an establishment within the Union were clarified, which was the case with the group, at the time, Facebook (today the Meta group), which has its European headquarters in Ireland.

52. Furthermore, the GDPR, in Recital 124, tells us that “When the processing of personal data occurs in the context of the activities of an establishment of a controller or a subcontractor in the Union and the controller or subcontractor is established in several Member States, or where processing in the context of the activities of a single establishment of a controller or a processor in the Union affects or is likely to substantially affect data subjects in several Member States, the supervisory authority of the main establishment or sole establishment of the controller or processor should act as the main supervisory authority. (our emphasis)”, from which it is clear that it is the GDPR itself that understands and clarifies that there is a main control authority whenever there is a main establishment (when there is more than one establishment in the Union) or when there is a single establishment of the person responsible for the treatment. As is the case in question. 

53. Furthermore, this appears to be the dominant position in the doctrine [See Opinion 4/2024, of the EDPB, and the “Guidelines for identifying a controller or processor's lead supervisory authority”. consultable at https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-identifying-controller-or-processors-lead_pt], in the interpretation of paragraph 1 of article 56 .º, of the GDPR, when this provision states that: “(…) the supervisory authority of the main establishment or sole establishment of the controller or subcontractor is competent to act as the main supervisory authority for cross-border processing carried out by the referred to as the controller or subcontractor pursuant to article 60”.

54. In conclusion, since we are not in the presence of a “main establishment” within the meaning of subparagraph a), subparagraph 16) of article 4 of the GDPR, but rather a single establishment, and for all that said, it can only be concluded that, in these cases where there is a single establishment in the Union, there is room for the application of the one-stop shop mechanism and, consequently, it is where the sole establishment of the controller in the Union is based that the supervisory authority is located. main, even if data is collected and processed in more than one State of the Union. 

v) BayLDA’s competence 
55. Given this reality, only invoked and made known to this Commission at a later stage than that which determined and substantiated Deliberation/2024/137, and having concluded, from the analysis of the evidence collected in the meantime, that ZipCode GmbH has its headquarters in Erlangen, in Germany and which is the only establishment in the EU of the Worldcoin Foundation, and even though, as there are no other establishments in the European Union, the one-stop shop mechanism is applicable, it is understood that from the conjunction of paragraph 1 of article 51 .º and article 56.1 of the GDPR, it follows that the Bayerisches Landesamt für Datenschutz ("BayLDA") is the “main supervisory authority”. 

56. Taking this conclusion into account, the assessment of the remaining allegations is impaired. 

III. DECISION 

57. In view of the above, the CNPD decides: 
a) Recognize that we are facing an incident of jurisdiction and, consequently, identify Bayerisches Landesamt für Datenschutz ("BayLDA") as the “Principal Control Authority” for the processing of personal data and biometric data on behalf of the Worldcoin Foundation;

b) Declare the CNPD as an Interested Control Authority, within the meaning of paragraph 22) of article 4 of the GDPR; 

c) Decide, under the final part of paragraph 1 of article 60 of the GDPR, to send all relevant documents and information to the Main Control Authority. 

Approved at the meeting on July 9, 2024
Paula Meira Lourenço (President)