European Union: The European Data Protection Board Issues Guidelines On GDPR's Territorial Scope

Last Updated: December 12 2018
Article by Ann Bevitt, David Navetta, Kristopher Kleiner and Kathryn Linsky

The European Data Protection Board ("EDPB" or the "Board") recently released new draft Guidelines 3/2018 on the territorial scope of the European Union's ("EU") General Data Protection Regulation ("GDPR") (the "Guidelines"). The Guidelines are intended to provide a common interpretation of Article 3 of the GDPR, and provide further clarification on the application of the GDPR–particularly where the data controller or processor is established outside of the EU. The EDPB has published this first version of the Guidelines to allow for public consultation about its contents until January 18, 2019, at which time the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. The Guidelines are intended to assist both relevant data protection authorities and businesses by providing a common interpretation on the scope of application of the GDPR. We've broken them down and highlighted some of the key insights from the Board.

One of the biggest changes in the GDPR (as compared to the EU's Data Protection Directive (EU 95/46/EC), which it replaces) is its jurisdictional scope. Article 3 defines the territorial scope of the GDPR, explaining that the GDPR applies on the basis of three criteria:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

  1. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Although the Guidelines provide analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, as well as additional clarification about the requirement for controllers and processors not established in the EU to appoint a representative, of primary relevance to most businesses are the discussion and examples relating to the "establishment" criterion, as set forth in Article 3(1), and the "targeting" criterion as set forth in Article 3(2). We have outlined the key information presented in the Guidelines below.

Key Issues Addressed by the Guidance

Article 3(1): The Establishment Criterion

The first criterion for falling within the scope of the GDPR is where a controller or processor processes personal data "in the context of the activities of an establishment . . . in the Union." The EDPB recommends a threefold approach to determining whether an organization is subject to the GDPR under Article 3(1):

    • Consideration 1: "An establishment in the Union"
    • Consideration 2: Processing of personal data carried out "in the context of the activities of" an establishment
    • Consideration 3: Application of the GDPR to the establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.

Each of these considerations is addressed in further detail below.

    • Consideration 1: "An establishment in the Union"

The Guidelines point out that although the GDPR does not expressly define the term "establishment" for the purpose of Article 3, Recital 22 states that an "[e]stablishment implies the effective and real exercise of activities through stable arrangements". The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

The Guidelines explain that when determining whether an "establishment" exists, "both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned." They further state that the threshold for having an establishment is a low one, and depending on the particular circumstances may be satisfied even where an entity has just a single employee or agent in the EU. According to the Guidance, an establishment may exist even in the absence of a branch or subsidiary in the EU. On the other hand, and highly relevant for many U.S. organizations, the Guidelines explicitly state that the mere fact that a non-EU entity maintains a website accessible from the EU alone is not sufficient to create an establishment.

Unfortunately, the Guidelines do not provide much greater insight into what factors are considered to determine whether the "degree of stability" or "exercise of activities" create an establishment. They include only a single, fairly straightforward example of a US automobile manufacturing company that has a fully-owned branch office located in the EU that oversees European operations and assert that this constitutes a sufficiently stable arrangement, exercising real and effective activities so as to create an establishment. The Guidelines further reference several Court of Justice of the European Union cases, including Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12), Weltimmo v NAIH (C-230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15), Wirtschaftsakademie Schleswig-Holstein (C-210/16), and Verein für Konsumenteninformation v. Amazon EU Sarl, (C-191/15); however, there are no tangible additional criteria provided.

    • Consideration 2: Processing of personal data carried out "in the context of the activities of" an establishment

Article 3(1) makes clear that that the applicability of the GDPR depends not on the location where the processing takes place, but rather whether the processing is carried out "in the context of the activities" of its EU establishment. This determination is largely factually driven and the Guidelines confirm that some commercial activity led by a non-EU entity within a Member State may be so far removed from the processing of personal data by this entity that the commercial activity in the EU would not be sufficient to bring that data processing within the scope of the GDPR.

Thus, to assess this factor, the Guidelines suggest that the analysis focus on identifying potential links between the activity for which the personal data is being processed, and the activities of the entity's EU establishment. If the processing is linked to activity of the EU establishment, then the analysis should turn to the nature of any links identified between the processing and the EU establishment. The Guidelines further state that revenue raising within the EU may also be a factor in the analysis of this consideration.

    • Consideration 3: Application of the GDPR to the establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not

The final consideration merely reiterates the Board's view that the location of the processing is not relevant in the assessment of the GDPR's applicability under Article 3(1). The Guidelines make clear that the GDPR may apply even where processing activities take place wholly outside the EU (e.g., an EU-based controller who outsources data processing to a processor located outside of the EU) and even where the personal data being processed belongs to data subjects located outside of the EU.

Article 3(2): The Targeting Criterion

The next criterion for falling within the scope is whether the processing of personal data is "related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union." The EDPB recommends a twofold approach to determining whether an organization is subject to the GDPR under Article 3(2):

    • Consideration 1: Data subjects in the Union
    • Consideration 2a: Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union
    • Consideration 2b: Monitoring of data subjects' behavior

Each of these considerations is addressed in further detail below.

    • Consideration 1: Data subjects in the Union

The Guidelines make clear that under this first consideration related to Article 3(2), for the GDPR to apply data subjects must be located in the EU; however, this does not require that data subjects be EU citizens, residents, or have other specific legal status. Location is assessed at the moment the relevant trigger activity takes place, i.e., the moment the goods or services are offered or the data subject is monitored.

The EDPB explains, however, that presence in the EU alone or processing of personal data belonging to EU data subjects itself is not determinative of GDPR's applicability. Rather, the element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behavior (as discussed in Consideration 2b below), must always be present in addition to presence in the EU.

    • Consideration 2a: Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union

Next, the Guidelines address the requirement of offering goods and services to data subjects in the EU. The Guidelines make clear that this consideration relies heavily upon intent and payment for goods and services is not necessary. In addition to traditional factors such as offering goods and services in local languages and currencies, the Guidelines describe several factors to be considered as evidencing such an intent, including:

    • Referencing the EU or a Member State;
    • Paying a search engine operator for an internet referencing service to facilitate access to the site by EU consumers;
    • Marketing/advertising in the EU;
    • The international nature of the activity at issue;
    • Posting a dedicated EU address or phone number;
    • Using EU domain names;
    • Including travel instructions from a Member State to the place where the product or service is provided;
    • Including testimonials or other mentions of international clientele from the EU or Member States;
    • Using a language or currency other than that used in the entity's country (especially where the language or currency is one used in one or more Member States); and
    • Offering EU delivery.

The Guidelines state that none of the above in isolation should be considered a "clear indication" of offering goods or services to data subjects in the EU, but all should be considered collectively, on a case-by-case basis, to make the determination.

    • Consideration 2b: Monitoring of data subjects' behavior

On the monitoring consideration, the Guidelines confirm that to trigger the application of the GDPR under Article 3(2)(b), "the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union." The Guidelines explain that with respect to monitoring, unlike the offering of goods and services consideration, there is no requisite "intention to target." However, "monitoring" implies that the controller must have a "specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behavior in the EU." In addition to monitoring through the tracking of a person on the internet as referenced in Recital 24, the EDPB believes other types of tracking, such as through wearable and smart devices, constitutes monitoring. Additional examples referenced in the Guidelines include:

    • Behavioral advertising;
    • Geo-locating activities;
    • Personalized diet and health analytics services online;
    • CCTV;
    • Market surveys and other behavioral studies based on individual profiles; and
    • Monitoring or regular reporting on an individual's health status.

The Guidelines warn that with respect to the targeting criterion, entities must take into account other applicable texts, such as EU or Member States' sectorial legislation and national laws. Because certain provisions of the GDPR allow Member States to introduce additional conditions and define a specific data protection framework at national level in certain areas, organizations must ensure that they address any additional conditions and frameworks which may apply.

Article 3(3): Applicability Based on Public International Law

The final way in which the GDPR might apply based on territorial scope relates to the operation of public international law. The Guidelines explain that international law, such as the Vienna Convention on Diplomatic Relations of 1961 and the Vienna Convention on Consular Relations of 1963, may result in the GDPR applying to processing carried out by EU Member States' embassies and consulates, so long as the processing falls within the material scope of the GDPR.

    • Article 27: EU Representative

The Guidelines also provide further detail on the designation of a representative by entities that are subject to the GDPR under Article 3(2). The obligation to designate a representative comes from Article 27(1), which states that "[w]here Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."

The Guidelines provide further insight into the obligations and responsibilities of a designated representative, explaining that the representative should:

    • Facilitate communication between data subjects and the controller and/or processor relating to the exercise of data subject rights (however, the representative is not responsible for actually complying with or responding to data subject rights requests);
    • Maintain Article 30 records of processing activities (however, that this is considered a joint obligation with the controller and/or processor); and
    • Cooperate with supervisory authorities by acting as point of contact in connection with any matter relating to the compliance obligations of the entity and facilitating informational or procedural exchanges between the entity and the supervisory authority.

The Guidelines also set out certain criteria for the representative, explaining that the representative should be:

    • A natural or legal person (this may include a commercial or non-commercial entity, including law firms, consultancies, etc.);
      • The Guidelines recommend however that where an entity serves as the designated representative, the controller or processor should designate a single individual point of contact as a lead contact or "person in charge" and to do so in the service agreement with the representative;
    • Established in one of the Member States where the data subjects are located;
    • Able to communicate effectively with data subjects and supervisory authorities, including in local languages and with the help of a team if necessary; and
    • Listed in the controller's / processor's privacy notice.

Interestingly, the Guidelines state that the EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer ("DPO"). This is because there exist potential conflicts of obligation and interests between the two roles. For example, Article 38(3) requires that controllers or processors ensure that the DPO "does not receive any instructions regarding the exercise of [his or her] tasks" and Recital 97 adds that DPOs, "should be in a position to perform their duties and tasks in an independent manner." Conversely, a representative is governed by contract with the controller or processor and would be acting on its behalf and, therefore, under its direct instruction. Because of this incompatibility, the Board indicates that the same individual or entity should not be used to fulfill both roles.

Lastly, the Guidelines point out that designating a representative pursuant to Article 27 does not create an establishment under Article 3(1).

Takeaways

Overall, the Guidelines provide some additional insight and color around the GDPR's territorial scope but, in many cases, include only very straightforward examples of the application of Article 3. Moreover, the EDPB does not attempt to address more complicated issues, such as those involving multiple related entities established in different countries. The guidance also leaves unanswered the potential jurisdictional questions that may be involved with attempting enforcement against an entity based completely outside of the EU.

The Guidelines state throughout that while they are intended to provide assistance in interpreting these requirements, to truly evaluate the GDPR's applicability under Article 3, a case-by-case analysis should be done taking into account the specific facts at issue. Therefore we suggest that organizations with specific or more complicated issues seek guidance from legal counsel with experience advising on GDPR issues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Klein Moynihan Turco LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Klein Moynihan Turco LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions