DLP Insights

Guidelines of the European Data Protection Board on the territorial scope of the GDPR

Categories: DLP Insights, Practice | Tag: GDPR, EDPB

09 Jan 2019

On 16 November 2018, the European Data Protection Board (“EDPB”) – the EU body that replaced the previous so-called WP29, in charge of the consistent application of the Regulation 2016/679/EU (“GDPR” or “Regulation”) and consisting of the person in charge of each data protection authority and the European Data Protection Authority – adopted a new guideline project (no. 3/2018) (the “Project”), regarding the territorial application of the GDPR.

It is a very detailed – full of examples – and substantial document, currently available only in English.

 

Legislative references

The EDPB first of all provides important clarifications with regard to the provisions referred to in Articles 3, 27 and 28 and Recital 80 of the GDPR.

According to Article 3 of the Regulation, the processing of personal data – carried out over the course of the activities of an establishment – by a Data Controller or a Data Protection Officer in the European Union falls within the scope of the Regulation, whether or not that processing is carried out within the European Union.

The applicability of the Regulation is also established upon occurrence of the processing of personal data of the interested parties located in the EU – carried out by a Data Controller or a Data Protection Officer not located in the European territory – if the processing activities concern (i) the provision of goods or services to the aforementioned interested parties located in the EU, independently of the obligation to pay of the interested party, or (ii) the monitoring of their conduct, to the extent that such conduct takes place within the EU.

Finally, pursuant to Article 3, the GDPR applies whenever the processing of personal data is carried out by a Data Controller not established in the EU but in a place governed by the law of a Member State by virtue of public international law.

Articles 27 and 28 as well as Recital 80 of the Regulation define the relationship between the Data Controller, the Data Protection Officer and, specifically, the representative of these two parties, in cases where they are not “established” in the EU.

 

Applicable criteria and related examples

The three main criteria that are detailed in the document under analysis are those reported in each of the three paragraphs of the aforementioned Article 3 of the GDPR, and therefore, the (i) criterion of establishment, the (ii) criterion of focusing and identifying the objectives (“targeting criterion”) as well as that (iii) of public international law. For each of these criteria, a few clarifying examples as proposed by the EDPB are reported herein.

  1. Establishment

An automotive manufacturing company based in the USA would fall within the application of the GDPR if it had a branch in an EU state to supervise certain operations (such as marketing) for the whole of Europe. This would be the case if – taking into account the nature of the business activity carried out by the US “parent company” – such transactions could be considered as real and effective activities, qualifying the branch as an actual establishment.

Similarly, the processing activity carried out (exclusively in China) by a Chinese company, which sells goods or services worldwide through an e-commerce site, would fall within the scope of application if it had an office in the EU in charge of implementing “commercial exploration campaigns” and marketing towards the European markets. In this case, beyond the actual place of the data processing, the company’s European headquarters would carry out activities inextricably linked to the processing of data carried out in China.

The GDPR would not be applicable to a hotel chain offering packages in several European languages via a website, if it operates without any permanent representation in the EU and if the offer is not expressly addressed to EU citizens.

On the other hand, the Regulation would apply to the processing of the data of a European car rental company which, while offering rental services only to clients present in non-EU countries, processes the data at its (single) European headquarters.

Finally, the example of a (European) Data Protection Officer which signed an agreement, in accordance with Art. 28 of the GDPR, with a Data Controller established in a non-EU country, in order to process, on behalf of the latter, the data of all its clients residing outside the EU, is of particular interest. In this case, the GDPR would not apply to the Data Controller, but instead the processing carried out by the Data Protection Officer established in the EU would fall within the scope of application.

 

  1. Identification of objectives/targeting

With reference to this second criterion, the following examples seem to be particularly clarifying.

If a US citizen travels on holiday to Europe and here downloads and uses an App. offered by a US company, the GDPR would not find any application, with only the US market being affected (and being the US market the actual target, at a commercial level).

It should be noted that the processing of data of EU citizens in a third country, does not determine the application of the GDPR, if such processing is not related to a specific offer addressed to individuals residing in the EU, or to the monitoring of their conduct in the European context.

Similarly, the Regulation would not be applicable:

–       in the case of a Taiwanese bank with clients residing in Taiwan, even though they all possess the citizenship of an EU country, under the point of view of a service offered to a non-European market; and

–       to the processing of data of European citizens by, for example, the Canadian immigration authority, if the processing is limited to the purposes of issuing visas.

 

Finally, let’s consider a website, based and managed in Turkey, which offers services for the creation, publishing, printing and shipping of personalized family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or British Pounds and photo albums can only be delivered by mail in the UK, France, the Benelux countries and Germany. In this case, it is clear that the processing carried out by the Turkish website, as the Data Controller, concerns the provision of a service in favour of “interested parties” established in the EU, and it is therefore subjected to the obligations and provisions of the GDPR. The Turkish Data Controller is obligated to appoint a “European representative” in accordance with Article 27 of the Regulations.

 

  1. Public international law

Finally, it is considered appropriate to mention two situations – particularly exemplifying – thought out by the EDPB, with reference to the case in which the GDPR is applicable to processing that takes place in a country geographically non-European, but to which EU law applies under international law.

This is the case of the Dutch Consulate in Jamaica, which opens an e-recruitment selection process for local staff. In this case, in accordance with international law, the GDPR will apply.

The Regulation will also apply to a German vessel on which the personal data of the guests on board are processed in order to offer an entertainment service that is profiled and well adapted to the individual needs of the users.

 

Conclusions

 

This measure could have a significant impact on the activities of companies and institutions that increasingly operate on a global and transnational level and using technological tools such as websites and e-commerce, or applications and software for smartphones.

And precisely for this reason, it is subjected to public consultation, before its final approval. By 18 January 2019 it will be possible to submit comments directly to the dedicated e-mail address (EDPB@edpb.europa.eu). At this point, all that is needed now is to wait for the outcome of the consultation.

 

 

More insights