The GDPR turns two – Territorial scope
In this first post of our series on key opinions and guidelines issued on the application of the GDPR by the European Data Protection Board (EDPB), we are focusing on the territorial scope of the GDPR, as set out in Article 3(1) and 3(2).
A key change introduced under the GDPR is that it has extended the reach of EU data protection law as compared to the previous regime under the EU Data Protection Directive. The GDPR in this respect has to an extent codified previous principles on the reach of EU data protection legislation, however, this nonetheless presents a significant shift in the attitude and treatment towards organisations which may not have an EU presence, but which nonetheless target or monitor individuals in the EU.
“Article 3 of the GDPR provides that:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
- the monitoring of their behaviour as far as their behaviour takes place within the Union
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
Recognising the need for a consistent interpretation of Article 3 across the EU, the EDPB has issued Guidelines 3/2018 to provide guidance and clarifications on the criteria for determining the application of the GDPR. The purpose of this post is to identify the key points set out in the Guidelines with respect to the territorial scope
Article 3(1) – Establishment criterion
Key take-aways from the Guidelines under the establishment criterion of Article 3(1) are the following:
- Whether there is an “establishment” is not assessed on a formalistic basis, ie based on where the undertaking is registered, but rather the notion of establishment extends to any real and effective activity – even a minimal one – exercised through “stable arrangements”.
- Depending on the circumstances, the threshold for establishment can be quite low – for example in the provision of services online.
- On the flip side, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee.
- The existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established “in the Union”. In particular:
- A non-EU processor appointed by an EU controller will not be deemed to have an establishment in the EU purely as a result of its appointment by such controller.
- Equally, a “non-EU” controller which is not otherwise caught by GDPR will not become subject to the GDPR simply because it chooses to use a processor in the Union.
- Conversely, processing activity by a controller which otherwise falls within the scope of GDPR will not fall outside the scope of the GDPR simply because the controller instructs a processor not established in the EU to carry out that processing on its behalf.
- The EDPB notes that as a matter of practical compliance with GDPR, controllers subject to GDPR which appoint non-EU processors which are otherwise not caught by GDPR may need to consider imposing on such processors, by contract, certain obligations of the GDPR. As a result, non-EU processors will therefore become indirectly subject to some GDPR obligations by virtue of contractual arrangements, in particular under Article 28. This is without prejudice to further measures required to address requirements on international transfers.
- A processor which is subject to GDPR, still needs to comply with the provisions of Article 28, irrespective of the fact that its appointing controller may not be caught by the GDPR.
Article 3(2)(a) – Targeting criterion
Key take-aways from the Guidelines under the targeting criterion of Article 3(2) are the following:
- The fact of processing personal data of an individual in the EU alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the EU under Article 3(2). The element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behaviour (as further clarified below), must always be present in addition.
- The Guidelines recognise that a controller or processor may be subject to the GDPR in relation to some of its processing activities but not subject to the GDPR in relation to other processing activities.
- Article 3(2) is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU.
- The processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the EU.
- The EDPB considers that, where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals’ behaviour in the EU (“targeting”), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3(2) in respect of that processing (see in particular examples 19 to 21 in the Guidelines).
- The EDPB confirms that in the absence of an establishment in the EU, a controller or processor cannot benefit from the one-stop shop mechanism provided for in Article 56 of the GDPR.
- Specifically in relation to the targeting criterion by an offering of goods and services under Article 3(2)(a):
- The application of the targeting criterion is not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed.
- The Guidelines refer to the concept of “directing an activity” under the EC Brussels I Regulation. While the EDPB recognises that the notion of “directing an activity” under that regulation differs from the “offering of goods or services”, it also deems the relevant case law might be of assistance when considering whether goods or services are offered to a data subject in the EU and sets out certain indicative factors which could contribute to that assessment.
- Specifically in relation to the targeting criterion by the monitoring of data subjects’ behaviour under Article 3(2)(b):
- The EDPB recognises that Article 3(2)(b) does not expressly refer to an intention to monitor in this respect. However, the Guidelines clarify that the use of the word “monitoring” implies that the controller has a specific purpose in mind and further states that the EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”.
- The EDPB notes that Recital 24 to the GDPR refers to monitoring in the context of tracking a person on the internet, however, it takes the view that tracking through other types of networks or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.
The Guidelines can be found here.