Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce to you the territorial scope of the GDPR.
The territorial scope of the GDPR is a key factor of importance for achieving compliance with the data protection requirements since nowadays many services are delivered globally and online. Especially, companies outside the EU are in the need to determine whether they are directly subject to the strict requirements of the GDPR. To help companies, in the late 2018 the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR.
This article aims to summarize and clarify the criteria as well to provide some useful insights and guidelines on the territorial scope of the GDPR.
The territorial scope of the GDPR is determined by its Article 3 as the norm contains three basic criteria.
Establishment in the EU
The first criterion for determining the applicability of the territorial scope of the GDPR is the establishment of controller or processor in the Union (Article 3 (1)).
According to the GDPR, ‘establishment’ implies the effective and real exercise of activity through stable arrangements. The form of the arrangements, for example, whether the activity is being carried out through a branch or a subsidiary, is not relevant.
The CJEU in its practice ruled that the notion of establishment extends to any real and effective activity exercised through stable arrangements. In fact, even the presence of one single employee or agent of the non-EU entity may be enough to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.
Circumstances that the non-EU entity does not have a branch or subsidiary in a Member State do not preclude it to be considered as having an establishment there within the meaning of the GDPR. This means that when a company with headquarters in the US has a branch, a sales office or when just performing activities for revenue raising in the EU, it could be considered as to have stable arrangements thus establishment in the EU and the GDPR to be applicable on its activities.
Article 3 draws also the attention that the criterion for establishment in EU should be evaluated on both the controller as well as the processor. The EDPB takes the view that when it comes to the identification of the different obligations triggered by the applicability of the GDPR, the personal data processing activities by each legal subject be it controller or processor should be seen as a separate topic.
For example. where a controller established in the EU mandates a processor located outside the EU, the non-EU processor will not be considered as having an establishment in the EU just because the controller in an EU entity. In such case, the GDPR will not directly be applicable to the non-EU processor. Only the EU-controller will be required to comply with all the GDPR requirements applicable to controllers (the ‘GDPR controller obligations’). One of those obligations is, namely, to ensure by contract or other legal act that also the non-EU processor will process the data in accordance with the GDPR.
On the contrary, a non-EU controller cannot be considered as having an establishment in the EU just because it uses a processor established in the EU. In the latter case, the GDPR would be applicable only to the EU-processor, and, only it will be required to comply with the GDPR requirements applicable to processors (the ‘GDPR processor obligations). These are, for example, for the EU-processor to implement appropriate technical and organizational measures in accordance with the GDPR, to notify the controller without undue delay after becoming aware of a personal data breach, or to designate a data protection officer.
Targeting persons EU
The second criterion is the so-called ‘targeting’ of persons in the EU (Article 3 (2)). The GDPR defines the targeting criterion in the ‘offering of goods or services irrespective of whether a payment is required to data subjects in the EU’, and in the ‘monitoring of their behavior as far as their behavior takes place within the EU’.
This largely focuses on the question whether the activities of an entity are addressed/targeted at users in the EU which is to be determined on a case-by-case basis.
The location of the subject data in the territory of the EU is a determining factor for the application of the targeting criterion. The EDPB considers that the nationality or legal status of a data subject cannot limit or restrict the territorial scope of the GDPR. Therefore, also activities addressed at citizens of third-countries who are in the EU may trigger the application of the targeting criterion and lead to applicability of the GDPR on these activities.
In order for companies to determine whether their activities are to be considered as offering of goods or services to data subjects in the EU, the latter should assess all for their business model relevant circumstances such as their intention to offer goods or services in the EU, whether their website, support or maintenance services are being offered in a local language and accept local currency, whether they have appointed a local point of contact for sales and support services etc.
To trigger the application of the second targeting criterion mentioned by the GDPR, namely, the ‚monitoring of behavior‘, the monitoring activity must first relate to a data subject in the EU and the monitored behavior must take place within the territory of the EU. The GDPR and the EDPB mention as few examples for monitoring activities the behavioral advertisement, geo-localization activities, online tracking through the use of cookies or other tracking techniques, personalized diet and health analytics services online, CCTV, market surveys and other behavioral studies based on individual profiles, monitoring or regular reporting on an individual’s health status etc.
It is important to note that the processing of personal data of persons located outside the territory of the EU, be it EU citizens or not, does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the EU.
Application of Member State Law by virtue of public international law
The provision of Article 3(3) is expanded upon in Recital 25 which states that where Member State law applies by virtue of public international law, the GDPR should also apply to a controller not established in the EU.
This means GDPR could also apply to personal data processing carried out by EU Member States’ embassies and consulates, or in EU ships in international waters. The fact that a data processing activity is being carried out on an EU-registered cruise ship means that by virtue of public international law the GDPR shall be applicable.
Controllers or processors not established in the Union must appoint a local representative
Finally, please be always advised that a controller or processor not established in the EU but subject to the GDPR is, obliged to designate a representative in the EU in accordance with Article 27 and failing to designate such a representative would consequently be in breach of the Regulation by the respective controller or processor.
The GDPR and EDPB provide some further guidance on the designation process, establishment obligations and responsibilities of the representative in the EU. For example, it is important to know that the representative:
• can be natural or legal person established in the Union;
• should be explicitly designated by a written mandate such as written contract with the controller or the processor to act on its behalf with regard to its obligations under the GDPR such a service contract;
• in general, cannot be at the same time data protection officer (DPO) of the company;
Article 27(2) foresees some exceptions from the mandatory designation of a representative in the Union such as when:
• the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences; or
• the processing is carried out by a public authority or body.
Article 27(3) foresees that the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.
The EDPB further recommends, that the representative must remain easily accessible for any data subjects in any Member State where the services or goods are being offered or where the behavior is being monitored.
Please be advised that the representative in the Union acts on behalf of the controller or processor it represents with regards to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard the identity and contact details of the representative must be included in all information documents of the controller in accordance with the requirements of Article 13 and 14 such as their privacy notices.
The representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation.
The Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the European Data Protection Board can be found here.