# 17 The Territorial Scope of GDPR

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce to you the territorial scope of the GDPR.

The territorial scope of the GDPR is a key factor of importance for achieving compliance with the data protection requirements since nowadays many services are delivered globally and online. Especially, companies outside the EU are in the need to determine whether they are directly subject to the strict requirements of the GDPR. To help companies, in the late 2018 the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR.

This article aims to summarize and clarify the criteria as well to provide some useful insights and guidelines on the territorial scope of the GDPR.

The territorial scope of the GDPR is determined by its Article 3 as the norm contains three basic criteria.

Establishment in the EU
The first criterion for determining the applicability of the territorial scope of the GDPR is the establishment of controller or processor in the Union (Article 3 (1)).

According to the GDPR, ‘establishment’ implies the effective and real exercise of activity through stable arrangements. The form of the arrangements, for example, whether the activity is being carried out through a branch or a subsidiary, is not relevant.

The CJEU in its practice ruled that the notion of establishment extends to any real and effective activity exercised through stable arrangements. In fact, even the presence of one single employee or agent of the non-EU entity may be enough to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.

Circumstances that the non-EU entity does not have a branch or subsidiary in a Member State do not preclude it to be considered as having an establishment there within the meaning of the GDPR. This means that when a company with headquarters in the US has a branch, a sales office or when just performing activities for revenue raising in the EU, it could be considered as to have stable arrangements thus establishment in the EU and the GDPR to be applicable on its activities.

Article 3 draws also the attention that the criterion for establishment in EU should be evaluated on both the controller as well as the processor. The EDPB takes the view that when it comes to the identification of the different obligations triggered by the applicability of the GDPR, the personal data processing activities by each legal subject be it controller or processor should be seen as a separate topic.

For example. where a controller established in the EU mandates a processor located outside the EU, the non-EU processor will not be considered as having an establishment in the EU just because the controller in an EU entity. In such case, the GDPR will not directly be applicable to the non-EU processor. Only the EU-controller will be required to comply with all the GDPR requirements applicable to controllers (the ‘GDPR controller obligations’). One of those obligations is, namely, to ensure by contract or other legal act that also the non-EU processor will process the data in accordance with the GDPR.

On the contrary, a non-EU controller cannot be considered as having an establishment in the EU just because it uses a processor established in the EU. In the latter case, the GDPR would be applicable only to the EU-processor, and, only it will be required to comply with the GDPR requirements applicable to processors (the ‘GDPR processor obligations). These are, for example, for the EU-processor to implement appropriate technical and organizational measures in accordance with the GDPR, to notify the controller without undue delay after becoming aware of a personal data breach, or to designate a data protection officer.

Targeting persons EU
The second criterion is the so-called ‘targeting’ of persons in the EU (Article 3 (2)). The GDPR defines the targeting criterion in the ‘offering of goods or services irrespective of whether a payment is required to data subjects in the EU’, and in the ‘monitoring of their behavior as far as their behavior takes place within the EU’.

This largely focuses on the question whether the activities of an entity are addressed/targeted at users in the EU which is to be determined on a case-by-case basis.

The location of the subject data in the territory of the EU is a determining factor for the application of the targeting criterion. The EDPB considers that the nationality or legal status of a data subject cannot limit or restrict the territorial scope of the GDPR. Therefore, also activities addressed at citizens of third-countries who are in the EU may trigger the application of the targeting criterion and lead to applicability of the GDPR on these activities.

In order for companies to determine whether their activities are to be considered as offering of goods or services to data subjects in the EU, the latter should assess all for their business model relevant circumstances such as their intention to offer goods or services in the EU, whether their website, support or maintenance services are being offered in a local language and accept local currency, whether they have appointed a local point of contact for sales and support services etc.

To trigger the application of the second targeting criterion mentioned by the GDPR, namely, the ‚monitoring of behavior‘, the monitoring activity must first relate to a data subject in the EU and the monitored behavior must take place within the territory of the EU. The GDPR and the EDPB mention as few examples for monitoring activities the behavioral advertisement, geo-localization activities, online tracking through the use of cookies or other tracking techniques, personalized diet and health analytics services online, CCTV, market surveys and other behavioral studies based on individual profiles, monitoring or regular reporting on an individual’s health status etc.

It is important to note that the processing of personal data of persons located outside the territory of the EU, be it EU citizens or not, does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the EU.

Application of Member State Law by virtue of public international law
The provision of Article 3(3) is expanded upon in Recital 25 which states that where Member State law applies by virtue of public international law, the GDPR should also apply to a controller not established in the EU.

This means GDPR could also apply to personal data processing carried out by EU Member States’ embassies and consulates, or in EU ships in international waters. The fact that a data processing activity is being carried out on an EU-registered cruise ship means that by virtue of public international law the GDPR shall be applicable.

Controllers or processors not established in the Union must appoint a local representative
Finally, please be always advised that a controller or processor not established in the EU but subject to the GDPR is, obliged to designate a representative in the EU in accordance with Article 27 and failing to designate such a representative would consequently be in breach of the Regulation by the respective controller or processor.

The GDPR and EDPB provide some further guidance on the designation process, establishment obligations and responsibilities of the representative in the EU. For example, it is important to know that the representative:
• can be natural or legal person established in the Union;
• should be explicitly designated by a written mandate such as written contract with the controller or the processor to act on its behalf with regard to its obligations under the GDPR such a service contract;
• in general, cannot be at the same time data protection officer (DPO) of the company;

Article 27(2) foresees some exceptions from the mandatory designation of a representative in the Union such as when:
• the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences; or
• the processing is carried out by a public authority or body.
Article 27(3) foresees that the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

The EDPB further recommends, that the representative must remain easily accessible for any data subjects in any Member State where the services or goods are being offered or where the behavior is being monitored.

Please be advised that the representative in the Union acts on behalf of the controller or processor it represents with regards to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard the identity and contact details of the representative must be included in all information documents of the controller in accordance with the requirements of Article 13 and 14 such as their privacy notices.

The representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation.

The Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the European Data Protection Board can be found here.

# 15 DOs and DON’Ts under the new Bulgarian data protection law

As of today, February 26, the long-awaited amendments to the Personal Data Protection Act (the “Act/PDPA”) aimed at harmonizing the Bulgarian legislation with the General Data Protection Regulation (GDPR) are already a fact. In addition, the Act brings about certain specific national regulations.

Below you will find a short list of some of the most important requirements introduced by the new Act:

DОs

  • Adopt explicit internal rules in case you carry out any of the following activities or you have implemented any of the following processes within your organisation:
    – You conduct video surveillance;
    – You have restricted the use of the company’s devices, systems or resources (for example, if you have restricted your employees’ access to certain websites);
    – You have implemented a system for reporting violations (the so-called “whistleblowing” systems);
    – You have implemented systems controlling the access, the working hours or the work discipline (card check-in systems, GPS systems for tracking company’s cars and other company’s technical devices);
  • Inform your employees about the adopted internal rules and provide them with access to these documents;
  • Store the personal data collected within recruitment procedures for no more than 6 months. Request the applicant’s consent to store his/her data for a longer period;
  • Appoint a Data Protection Officer (DPO) in case you fall within the definition of a “public authority” in accordance with the Act – a state or local authority, as well as a structure, the main activity of which is related to expenditure of public funds;
  • Provide the names, PIN/PNF and contact details of your DPO (if designated) to the Commission for Personal Data Protection (CPDP);
  • Whenever minors’ personal data (under the age of 14) is processed on the basis of consent, require consent from parent exercising parent’s rights/from guardian. This requirement applies not only to the provision of information society services, but to any form of processing based on consent as well;
  • In cases where personal data of deceased persons is processed, such processing shall only be carried out in case there is a legal ground therefor and by taking appropriate measures so that such processing shall not adversely affect the rights or freedoms of others or any public interest;
  • When processing personal data for the purposes of journalistic, academic, artistic and or literary expression, always try to strike a balance between freedom of expression, right to information and privacy in compliance with the criteria set out in the PDPA.

DON’Ts

  • Do not copy identification documents (ID card, passport, driver’s license) or residence permit (unless you have ensured a legal ground provided for by law);
  • Do not allow free public access to information containing PIN/PNF, unless otherwise provided by law (for example: publication of lists containing personal data);
  • Do not use PIN as passwords as the Act requires the adoption of appropriate technical and organizational measures to prevent the use of PIN/PNF as the only means of user identification when providing remote access to electronic services (e.g. as a password for access to medical test results).

Tailor your practices to the new requirements, bearing in mind that our list is not an exhaustive one and is intended only to familiarize you with the general structure of the amendments adopted.

Keep an eye on our follow up publications where the most important changes will be analyzed in more detail and we will continue to keep you up-to-date in the field of personal data protection!

# 10 The Act for Amendment and Supplement to the Personal Data Protection Act, synchronized with GDPR, is officially submitted before the National Assembly

On 18th of July the Bill for Amendment and Supplement of the Personal Data Protection Act was submitted before the National Assembly (the New Bill). The New Bill aims to introduce measures to implement EU’s General Data Protection Regulation (the Regulation/GDPR) and transpose Directive 2016/680 on the protection of personal data in the police sector (the changes proposed in this section – Chapter 8a of the New Bill – will be the subject of a follow-up analysis on our blog).

As expected, some rules from the initial bill (the Old Bill) – subject to public consultation since 30.04.2018 – have been revised as a result of the consultation(1).

At first glance and without claiming to be exhaustive, we underline here some of the amendments made in the New Bill:

1. The minimum thresholds for fines and pecuniary sanctions have been removed since such were not provided in the Regulation. Fines/ sanctions will be imposed according to the criteria set out in the Regulation;
2. The envisaged fine for other violations remains up to BGN 5 000 where the minimum threshold of BGN 1 000 is abolished;
3. The New Bill provides safeguards in order to balance the protected secrecy (e.g. the lawyer’s secret) with the investigating powers of the Commission for the Protection of Personal Data (CPDP), insofar such secrecy provides an option to serve the controllers/ processors as grounds for refusal or access to it by CPDP in case of an inspection;
4. The CPDP will maintain a non-public internal register of data breaches and the measures undertaken in accordance with the exercise of its remedial powers. However, new public ones are being introduced:
– Register of controllers and personal data processors who have appointed Data protection officers (DPO);
-The proposal to maintain a DPO register is removed due to concerns of an attempt to introduce a disguised registration regime for this position, which is not provided in the Regulation;Register of the accredited certification bodies;
-Conduct codes register;
5. The provisions empowering the CPDP to conduct trainings of DPOs were also removed;
6. The personal data retention period of all job candidates/applicants cannot be more than 6 months (in the Old Bill the term was 3 years) after the end of the procedure of recruitment. This restriction also applies to documents that certify the physical and mental health of the applicant, the necessary qualifications and experience for the position held. Other provisions on the protection of personal data in the context of the employment relationship are also specified (e.g. the disputed permission to request explicit consent from employees to process their personal data, which is not required by the employer or a legal act is also removed);
7. The requirement for controllers/ processors to appoint a DPO if they process the personal data of more than 10,000 individuals has also been removed since this requirement, as set out in the Old Bill, has raised serious objections in the public consultation procedure (mainly due to the uncertainties of how it would be applied in practice);
8. Structures, whose main activity is related to the spending of public funds, will be considered as a public body/ structure. This will affect their duty to appoint a DPO;
9. The New Bill also provides new provisions regarding the processing of personal data for the purposes of archiving in the public interest, scientific and historical research, statistical purposes and journalistic purposes.

The full text of the New Bill could be found in Bulgarian here.

As your trusted partner we will continue to keep you updated about the New Bill legislation process as well as all the new developments in the personal data protection legislation on a national and European level.

(1) See in this sense also the latest newsletter of CPDP from July 2018, URL 

# 3 Dimitrov, Petrov & Co. contributes to the new Data Privacy Advisor service of Thomson Reuters

As a response to the global dynamics in regulations concerning data privacy, the international mass media corporation Thomson Reuters launched a new online service – Data Privacy Advisor. It aims to combine best-in-class content related to data privacy. In addition to providing timely feeds on news and trends in the field and returning answers to data privacy research questions, the service contains ample information on data privacy rules applicable in different countries.

The materials published in the Bulgarian section were prepared by Desislava Krusteva, head of the Privacy Data Protection Practice at Dimitrov, Petrov & Co., CIPP/E, and Gavrail Poterov, also on the team of the law firm. The collaboration of the law firm with Thomson Reuters on this project is on an ongoing basis. The experts at Dimitrov, Petrov & Co. are seeing to the updates in the Bulgaria-related information on the Data Privacy Advisor.

Data Privacy Advisor presentation and service preview are available here: Data Privacy Advisor Overview