Draft EDPB Guidelines on the Territorial Scope of the GDPR (Lydian)
Publication date: 20/12/2018
On 16 November 2018, the European Data Protection Board (EDPB) published its draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (the Guidelines). The Guidelines provide a common interpretation of Article 3 by clarifying the application of the GDPR in various situations. In this e-zine, we summarise the key takeaways of the Guidelines.
Article 3 GDPR sets out two criteria for the territorial application of the GDPR:
- the establishment criterion: the GDPR applies to controllers or processors established in the EU (Article 3(1) GDPR);
- the targeting criterion: the GDPR applies to controllers or processors not established in the EU but who target (by offering goods and services) or monitor data subjects who are in the EU (Article 3(2) GDPR).
In addition, Article 3(3) GDPR confirms the application of the GDPR to processing activities in places where Member State law applies by virtue of public international law.
1. Establishment criterion: Article 3(1) GDPR
To find out whether a company falls within the scope of Article 3(1), a two-step reasoning must be followed:
- First, it should be verified whether the company has an ‘establishment’ in the EU. The notion of ‘establishment’ is defined as any real and effective activity exercised through stable arrangements, irrespective of its legal structure. In some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement (and hence an establishment) if that employee or agent acts with a sufficient degree of stability. The mere fact of having a website accessible in the EU however does not suffice.
- Secondly, it should be verified whether the processing is carried out “in the context of the activities of” this establishment. Even if the processing activity is not carried out by the EU establishment, the latter’s activities could be strongly related to the data processing activity, which will therefore be considered to be carried out in the context of the EU establishment’s activities. Determining whether this condition is met, must be done on a case-by-case basis and based upon the specific factual circumstances.
It should be noted that the GDPR will apply to the establishment of a controller or processor in the EU, “regardless of whether the processing takes place in the Union or not”. In the case of a non-EU controller and an EU processor, there is an obligation to conclude a data processing agreement and the processor in the EU will need to comply with the GDPR obligations imposed on processors while the non-EU controller will not be subject to the GDPR.
2. Targeting criterion: Article 3(2) GDPR
Companies that do not have an establishment in the EU and fall outside the scope of Article 3(1), can still be subject to the GDPR where “the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union” (Article 3(2) GDPR). It should be noted that such companies cannot benefit from the one-stop shop mechanism of Article 56 GDPR. Other provisions of the GDPR will however apply to the processing of personal data by such companies.
- “Data subjects who are in the Union”, means any person who is physically in the EU at the moment the trigger activity takes place, i.e. at the moment of offering goods or services or at the moment when his/her behaviour is being monitored. Furthermore, it is crucial to assess the element of ‘targeting’ individuals in the EU. Simply processing personal data of persons in the EU does not trigger the application of the GDPR. If the processing of personal data of EU citizens takes place in a third country and is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the EU, the GDPR will not apply.
- “Where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”, means that a direct or indirect connection is required between the processing activity and the offering of goods or services.
- “Where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the Union”, means that the monitoring of behaviour implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. Not all online collection or analysis of personal data will be considered as monitoring. It is necessary to consider the controller’s purpose in processing the data and any subsequent behavioural analysis or profiling techniques involving that data. Without doubt, some activities such as behavioural advertising, geolocation tracking, tracking through cookies or fingerprinting and monitoring the health status of individuals should be considered monitoring, according to the EDPB.
3. Processing in a place where Member State Law applies by virtue of Public International Law: Article 3(3) GDPR
With this additional criterion of Article 3(3) GDPR, processing carried out by Member States’ embassies and consulates is envisaged by the GDPR.
4. Representatives of controllers or processors established outside the EU
Controllers and processors outside the EU but within the scope of the GDPR are obliged to designate a representative in the EU. The EDPB considers the role of representative as non-compatible with the role of an external Data Protection Officer (DPO). This representative must be able to efficiently communicate with data subjects and cooperate with the supervising authorities, which involves the ability to speak the language of the authorities or data subjects concerned. The representative can be subject to enforcement actions in the same way as controllers and processors, and also subject to administrative fines and penalties, and can be held liable.
The territorial scope is one of the most complex aspects of the GDPR. Therefore, the Guidelines of the EDPB are a helpful instrument to provide a common interpretation of the scope of application. The Guidelines still leave some important questions unanswered. Note, however, that they are only a draft and are open to public consultation until 18 January 2019, after which date a final version will be published.