Practical review
Adoption of the General Data Protection Regulation of the European
Union (EU) 2016/679 ("GDPR"), applicable
as of 25 May 2018, marked a watershed in the regulation
of personal data protection and the rights of persons whose data is
being processed, while also setting down penalties and making
substantial progress in safeguarding the personal right to
privacy.
Owing to the ambiguity of Article 3 of the GDPR regulating
territorial scope and the necessity for additional interpretation,
the European Data Protection Board adopted Guidelines 3/2018
on 16 November 2018, on the territorial scope of the GDPR
(the "Guidelines"). The Guidelines are a
response to uncertainties surrounding the territorial scope of the
GDPR and serve to ensure consistency and uniform practice in this
matter.
Article 3 of the GDPR regulates the matter of territorial scope.
Fulfilling one of the three prescribed criteria triggers
application of the GDPR:
- Establishment of a controller or processor in the EU;
- Targeted activity/Targeting towards the EU territory, even
though the controller or processor is not in the EU;
- Application by virtue of public international law.
The above definition is a solid foundation for determining the
territorial scope of the GDPR, but leaves itself open to a broad
range of interpretations – hence the need for an "in
concreto" assessment.
In this article, we will consider detailed explanations of the
extended application rules, as well as practical examples to gain a
comprehensive understanding of the significance and impact of these
rules on non-EU countries.
1. Application based on establishment of a controller or processor in the EU
"GDPR applies to the processing of personal data in
the context of the activities of an establishment of a controller
or a processor in the Union, regardless of whether the processing
takes place in the Union or not."
This definition allows for a case-by-case interpretation of
whether the GDPR is applicable or not. While characteristic for
application within EU Members, in some cases it may also apply to
non-EU countries. Establishment implies the effective and real
exercise of activity, regardless of the legal form of the
controller or processor. What this really means depends on each
case. A more precise definition is not provided so that the field
of application is determined as broadly as possible. The GDPR may
thus potentially apply to non-EU established business entities with
branches in the EU.
In particular, a link must be established between the collection
and processing of personal data and activities in the EU.
Nevertheless, collection and processing of personal data by the
controller or processor in the EU will suffice for the GDPR to
apply.
Example 1: A company established in Belgium that
manufactures car parts solely for buyers in the USA and Canada
collects and processes personal data only in the United States.
Nevertheless, application of the GDPR is mandatory, because the
controller is a Belgian company.
Even where personal data are not directly processed by an EU
processor or controller, but by an affiliate outside the EU, and
where there is a link between the activities of the EU
establishment and the processing of data by a non-EU processor or
controller, the application of the GDPR is mandatory.
Example 2: A marketing company registered in India
has established a branch in France. The Indian company processes
all data in respect of market research and the improvement of its
services on the territory of France. It may be considered that the
business of the branch established in France is related to data
processing and therefore the company in India will be obliged to
apply the GDPR because of the link with its EU established branch,
even if in this specific case it is not possible to prove the
direct involvement of the French branch in the data processing,
because a certain connection is definitely present, which is enough
for application of the GDPR.
The general conclusion is that the existence of a branch or other
establishment may trigger application of the GDPR. In some
circumstances, i.e. online services, the presence of a single
employee or agent of the non-EU entity may be sufficient to trigger
application of the GDPR. However, while the definition of
"establishment" is broad, it is not without limits. For
example, it does not mean that the GDPR will apply to a Serbian
company just because its website is accessible to people in the
EU.
Application of the GDPR should be considered separately for the
controller and processor. It is not enough to conclude that the
application of the GDPR is mandatory for the processor simply
because it was previously determined that it applies to the
controller or vice versa.
The second part of this application criterion demonstrates that
data processing does not have to take place within the EU. The GDPR
will apply to entities that collect and process personal data only
in non-EU countries if they have a business presence, i.e.
establishment, in the EU.
2. Application based on targeted activity, i.e. targeting, towards the EU territory, even if a controller or processor have no presence in the EU
"GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of
whether a payment of the data subject is required, to such data
subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union."
This criterion leaves greater scope for application to be
extended to non-EU countries, although satisfaction of the
application criterion must be examined on a case-by-case basis.
While the citizenship of the data subject is irrelevant, its
location in the territory of the EU is a determining factor.
In the first scenario, simply offering goods or services to data
subjects in the EU would trigger the application of the GDPR, but
it is necessary to determine whether the "offer" has been
made. Various factors can be taken into consideration when
determining whether a particular action is considered offering
goods or services to data subjects in the EU. These include, but
are not limited to: the use of a language of an EU Member State
other than the language used in the country of the supplier of the
goods or services; allowing payment in a foreign currency; offering
the delivery of goods in EU Member States; mentioning dedicated
phone numbers or addresses for EU users; the use of common EUR
domain names such as ".de" or ".eu". Taken
alone, these factors may not amount to a clear indication of the
intention of a data controller to offer goods or services to data
subjects in the EU; however, they should each be taken into account
to determine whether a combination of factors can together be
considered as an offer of goods or services directed at data
subjects in the EU and in turn trigger application of the GDPR. The
key point here is to determine whether an activity is targeted
towards data subjects in the EU.
Example 3: The internet address of a Chinese
company, established in China, sells cameras and related equipment.
The website is available in Chinese, English, German and French. It
offers delivery to England, Germany and France, and accepts payment
in euros and pounds. If these parameters are fulfilled, they
together lead to the application of the GDPR in this particular
situation, even though all data collection and processing is
carried out in China.
Example 4: The Russian Agency for Programming and
Software Development has announced a job vacancy on its website,
stating that knowledge of English and German is required. The
question here is whether it is subject to the GDPR given that these
languages are widely spoken in the EU? In this context, the answer
is no. Knowledge of English and German cannot serve as the sole
indicator that data subjects in the EU are being targeted
exclusively. The presence of other factors would be necessary for
such a conclusion.
In the second scenario, the GDPR applies if the behaviour of a
data subject in the EU is monitored, but only if that monitoring is
performed in the EU. It is necessary to determine precisely what
data subject behaviour is being monitored, the purpose of the
monitoring, and whether the data subject will be subject to
profiling and certain conclusions will be drawn as a result.
Example 5: A marketing agency from Mexico provides
consultation services in the field of tourism. With the help of a
Wi-Fi network, the behaviour of a data subject in Berlin is
monitored and local restaurants in the city are recommended via
social networks.
It is clear from this example that monitoring is being carried out
to provide restaurant recommendations and that the data subject is
in the EU, hence the GDPR applies.
Controllers or processors not established in the EU but engaging
in processing activities falling under Article 3(2) are
required to designate a representative in the EU. Appointment
should be by written agreement, which will regulate a connection
between the controller or processor and the EU representative, as
well as mutual rights, obligations and responsibilities.
It is commonplace for non-EU controllers and processors to engage
specialised companies with experience in this field as a
representative. The role of representative and the role of Data
Protection Officer are not compatible and should be kept separate.
The role of the representative is to act as a point of contact for
subjects whose data are processed and the controller, to maintain a
registry of communications with the competent EU authorities in
charge of data protection. The designation of a representative does
not affect the responsibility or liability of the controller or
processor outside the EU.
Designating a representative is not mandatory where collection and
processing is occasional, where there is a remote risk of personal
data being breached, or where processing is carried out by a public
authority or body.
Example 6: If we look back to Example 3, where it
is concluded that the GDPR is applicable, there is an obligation to
designate a representative either in England, France or Germany. It
is also necessary to provide the name and contact information of
the controller among the data available to customers on the
website.
3. Application based on Member State law by virtue of public international law
"GDPR applies to the processing of personal data by
a controller not established in the Union, but in a place where the
EU Member's law applies by virtue of public international
law."
This application criterion differs from that set down in the
Serbian Data Protection Act, which does not make specific provision
for it. The scope of this criterion is limited, but still leads to
the application of the GDPR to non-EU countries. This criterion
primarily concerns foreign diplomatic and consular missions, but
also several other situations.
Example 7: The German Embassy in Russia has opened
an application process for the recruitment of administrative staff
to process the data of temporary work visa applicants. Although the
German Embassy is not established in the EU, as it is an EU Member
State embassy in accordance with public international law, the
application of German law – and thus the GDPR – is
mandatory. Applicants' personal data should therefore be
collected in accordance with the GDPR.
Example 8: An Austrian aircraft flying over
Mexican territory processes the data of passengers on board to
improve the quality of its services and send special offers from
the airline for future flights. Although the aircraft is located
outside EU territory, the fact that it is registered in Austria
means that by virtue of public international law, the laws of
Austria – and therefore the GDPR – shall be
applicable.
The impact of the GDPR on non-EU countries is plain to see in the
legislation enacted in this area by EU candidate countries, which
for the most part incorporate the uniform GDPR rules. Meanwhile,
the rules on the extended territorial scope of the GDPR move its
impact far beyond the borders of Europe. The loose wording in
respect of its application has left the door open for multiple
interpretations, hence the need to develop legal practice to
establish rules for every possible situation. Clearly the effect of
the GDPR is significant even outside Europe, but it remains to be
seen how it will be implemented in practice, in particular the
provisions on the obligation to designate a representative in the
EU.
Proairena primena GDPR-a na dr~ave van Evropske Unije prema
Smernicama 3/2018 o
teritorijalnoj primeni GDPR-a
Praktični osvrt
Donoaenjem Opate Uredbe o zaatiti podataka o ličnosti Evropske Unije (EU) 2016/679 (General Data Protection Regulation (EU) 2016/679) ("GDPR"), koja je počela da se primenjuje od 25.05.2018. godine, izvraena je značajna promena u regulisanju zaatite ličnih podataka, kao i u postupanju sa ličnim podacima, pravima lica čiji se podaci obrađuju, predviđenim sankcijama i generalno je ostvaren značajan pomak u sferi zaatite prava lica na privatnost.
Zbog nedovoljno jasnih odredbi člana 3 GDPR-a, koji reguliau teritorijalnu primenu i potrebe za njihovim dodatnim tumačenjem, Evropski odbor za zaatitu podataka ("European Data Protection Board"), usvojio je 16.11.2018. godine Smernice 3/2018 o teritorijalnoj primeni GDPR-a ("Smernice"). Smernice su usvojene sa nastojanjem da se odgovori na potencijalne sumnje i pitanja oko primene GDPR-a kao i da se obezbedi doslednost i ujednačena praksa u ovoj oblasti.
Članom 3 GDPR-a je uređeno pitanje teritorijalne primene. Ispunjenjem jednog od predviđena tri osnova dolazi do primene GDPR-a:
- Poslovno prisustvo rukovaoca ili obrađivača u EU;
- Usmerene aktivnosti / targetiranja, ka teritoriji EU, iako rukovalac ili obrađivač nemaju prisustvo u EU;
- Primena na osnovu pravila međunarodnog javnog prava.
Ovakvim definisanjem je u značajnoj meri određeno kada dolazi do primene GDPR-a, ali je ipak ostavljeno airoko polje primene i tumačenja, koje je potrebno u svakom konkretnom slučaju utvrditi "in concreto".
U nastavku slede detaljnija obrazlo~enja pravila proairene primene kao i praktični primeri kako bi se potpunije shvatio značaj i uticaj ovih pravila na dr~ave van EU.
1. Primena na osnovu poslovnog prisustva rukovaoca ili obrađivača u okviru EU
"GDPR se primenjuje na obradu ličnih podataka u okviru aktivnosti poslovnog prisustva rukovaoca ili obrađivača u EU, bez obzira na to da li se radnja obrade obavlja u EU ili ne"
Ovakvim definisanjem ostavljena je mogućnost tumačenja u svakom konkretnom slučaju da li je potrebno primeniti GDPR ili ne. Ovaj osnov biće karakterističan za primenu u okviru dr~ava članica EU, ali ipak u određenim slučajevima mo~e uticati i na dr~ave izvan EU. Poslovno prisustvo treba tumačiti kao svaki vid efektivne i stvarne poslovne aktivnosti, bez ograničavanja na pravni oblik organizovanja rukovaoca ili obrađivača. `ta to zaista znači zavisi od svakog konkretnog slučaja, preciznija definicija nije data, kako bi se polje primene ato aire odredilo. Na osnovu toga moguće je da druatvo koje je osnovano van EU osnuje ogranak u EU u okviru čijeg poslovanja će se primenjivati GDPR.
Potrebno je posebno utvrditi vezu između prikupljanja i obrade podataka i aktivnosti u okviru poslovnog prisustva u EU. Prikupljanje i obrada ličnih podataka od strane rukovaoca ili obrađivača u EU, bez obzira na pravnu formu organizovanja, biće osnov primene GDPR-a u svakom slučaju.
Primer 1: Druatvo osnovano u Belgiji bavi se proizvodnjom auto delova isključivo za kupce u SAD i Kanadi. Prikupljanje i obrada podataka obavlja se isključivo na teritoriji SAD. Bez obzira na to, primena GDPR-a je obavezna, samo na osnovu toga ato je rukovalac belgijsko druatvo.
Čak i u slučajevima kada lične podatke direktno ne obrađuje obrađivač ili rukovalac prisutan u EU, već njegovo povezano druatvo van EU, a jasno je da postoji određena veza između poslovne aktivnosti u EU i same obrade podataka od strane obrađivača ili rukovaoca van EU, primena GDPR-a će biti obavezna.
Primer 2: Druatvo osnovano u Indiji koje se bavi pru~anjem marketinakih usluga osnovalo je ogranak u Francuskoj. Druatvo iz Indije u potpunosti vrai obradu podataka u svrhu istra~ivanja tr~iata i poboljaanja svojih usluga na teritoriji Francuske. Mo~e se smatrati da je poslovanje ogranka osnovanog u Francuskoj povezano sa obradom podataka, te će druatvo u Indiji, biti obavezno da primeni GDPR zbog postojanja veze sa ogrankom osnovanim u okviru EU, čak i ako u konkretnom slučaju nije moguće dokazati direktnu ulogu francuskog ogranka u obradi podataka, jer određena veza svakako postoji, koja je dovoljna za primenu GDPR-a.
Zaključak je da postojanje ogranka ili neke slične forme organizovanja mo~e biti osnov za primenu GDPR-a. U određenim slučajevima postojanje samo jednog zaposlenog ili agenta druatva van EU, mo~e biti osnov za primenu GDPR-a, npr. ako se usluge nude putem interneta. Međutim, iako je definicija "prisustva u EU" (tj. establishment-a) airoka, ipak nije bez ikakvih ograničenja. Naime, ne znači da će do primene GDPR-a doći samo zaato ato privredno druatvo u Srbiji ima website koji je dostupan licima u EU.
Primenu GDPR-a treba posmatrati odvojeno u odnosu na rukovaoca i obrađivača, nije dovoljno zaključiti da je primena GDPR-a obavezna za obrađivača, samo zato ato je prethodno utvrđeno da se primenjuje na rukovaoca ili obrnuto.
U drugom delu ovog osnova primene određeno je da radnja obrade ne mora biti u okviru EU, tako da mo~e doći do situacije da se GDPR primenjuje na druatva koja isključivo prikupljaju i obrađuju lične podatke u dr~avama van EU.
2. Primena na osnovu usmerene aktivnosti, targetiranja, ka teritoriji EU, iako rukovalac ili obrađivač nemaju prisustvo u EU
"GDPR se primenjuje na obradu ličnih podataka lica u EU koju vrae rukovalac ili obrađivač u slučaju
- nuđenja roba ili usluga licima u EU (bez obzira da li se plaća naknada);
- praćenja njihovog ponaaanja dokle god se takvo ponaaanje odvija unutar EU".
U ovom slučaju veća je mogućnost proairene primene na dr~ave van EU, ali je takođe u svakom konkretnom slučaju potrebno utvrditi da li su ispunjeni pomenuti kriterijumi za primenu. Pitanje dr~avljanstva lica čiji se podaci obrađuju nije relevantno, bitno je samo da se oni nalaze na teritoriji EU kako bi se GDPR primenio.
U prvom slučaju dovoljno je da se roba ili usluge nude licima u EU kako bi doalo do primene, međutim potrebno je utvrditi da li je do "nuđenja" zaista doalo. Kako bismo utvrdili da li se određena radnja smatra nuđenjem roba ili usluga licima u EU mogu se koristiti različiti kriterijumi. Pomenuti kriterijumi mogu biti na primer: koriaćenje jezika zemlje članice EU koji se razlikuje od zemlje ponuđača robe ili usluga, nuđenje plaćanja u stranoj valuti, mogućnost dostavljanja u zemlje EU, brojevi telefona ili adrese za korisnike iz EU, koriaćenje domena koji se odnosi na zemlje članice EU npr. ".de" ili ".eu". Kombinacijom viae ovakvih kriterijuma dolazi se do zaključka u svakom konkretnom slučaju da li je ispunjen kriterijum za primenu GDPR-a. Bitno je utvrditi da je takva aktivnost upućena, odnosno targetirana ka licima u EU.
Primer 3: Internet adresa kineskog druatva, koja se vodi u Kini nudi usluge prodaje foto aparata. Internet stranica dostupna je na kineskom, engleskom, nemačkom i francuskom jeziku. Takođe postoji mogućnost dostavljanja robe u Englesku, Nemačku i Francusku, kao i plaćanje u evrima i funtama. Time je ispunjeno viae parametara i oni zajedno dovode do primene GDPR-a u konkretnom slučaju iako će se kompletno prikupljanje i obrada podataka obavljati u Kini.
Primer 4: Agencija iz Rusije koja se bavi programiranjem i razvijanjem softvera objavila je na svojoj internet stranici oglas za posao u kome je između ostalog naznačeno da je obavezno poznavanje engleskog i nemačkog jezika. U datom slučaju postavlja se pitanje da li je potrebno primeniti GDPR pravila zbog pomenutih jezika, kao dominantnih među građanima EU? U ovom kontekstu odgovor je ne. Samo poznavanje engleskog i nemačkog jezika ne mo~e biti indikator da su targetirana isključivo lica iz EU kao kandidati za pomenuti posao. Bili bi potrebni dodatni kriterijumi kako bi se takav zaključak doneo.
U drugom slučaju do primene dolazi ako se prati ponaaanje lica koje se nalazi u EU, ali samo onog ponaaanja koje se odvija u EU. Potrebno je precizno utvrditi da li se prati ponaaanje lica i za koju svrhu se dato ponaaanje prati kao i da li će se na osnovu takvog prikupljanja izvraiti profilisanje lica i donositi određeni zaključci, kako bi ovaj osnov primene bio ispunjen.
Primer 5: Marketinaka agencija iz Meksika pru~a usluge savetovanja u oblasti ugostiteljstva. Na osnovu Wi-fi mre~e prati se ponaaanje lica koje se nalazi u Berlinu, i preporučuju se lokali u tom gradu putem druatvenih mre~a.
Iz prethodnog primera jasno je da je praćenje izvraeno sa ciljem preporuke restorana i da se lice nalazi u EU, tako da će svakako biti obavezna primena GDPR.
Ako su ispunjeni kriterijumi za primenu GDPR-a, u slučaju da je reč o obrađivaču ili rukovaocu van EU, postoji obaveza imenovanja zastupnika u EU. Imenovanje se vrai kroz pismeni ugovor, koji će predstavljati vezu između rukovaoca ili obrađivača i zastupnika u EU, ali i urediti međusobna prava, obaveze i odgovornosti. U praksi je zastupljeno anga~ovanje različitih kompanija sa iskustvom u ovoj oblasti kao zastupnika. Ovog zastupnika treba razlikovati od lica za zaatitu podataka, jer njihove funkcije moraju biti odvojene. Obaveze zastupnika su da predstavlja vezu između lica čiji se podaci obrađuju i rukovaoca, vodi registar komunikacija za nadle~nim organima EU zadu~enim za zaatitu podataka. Postojanje zastupnika ni u kom slučaju ne isključuje odgovornost rukovaoca ili obrađivača van EU.
Izuzetak postoji kada je reč o povremenom prikupljanju i obradi, kada postoji mali rizik da će doći do povrede ličnih podataka kao i kada se obrada vrai od strane dr~avnih organa, kada imenovanje zastupnika nije obavezno.
Primer 6: Ako se vratimo na primer 3, gde je zaključeno da je potrebno primeniti GDPR, postoji obaveza imenovanja zastupnika ili u Engleskoj ili u Francuskoj ili u Nemačkoj. Takođe potrebno je i navesti ime i kontakt podatke rukovaoca među podacima koji su dostupni kupcima na internet stranici.
3. Primena na osnovu prava članice EU, odnosno na osnovu međunarodnog javnog prava
"Primena na osnovu obrade od strane rukovaoca koji nema prisustvo u EU, već u mestu gde se pravo dr~ave članice EU primenjuje na osnovu međunarodnog javnog prava"
Ovaj osnov primene predstavlja razliku o odnosu na domaći Zakon o zaatiti podataka o ličnosti, koji ga ne predviđa posebno. Polje primene ovog osnova je ograničeno, ali ipak dovodi do primene pravila GDPR-a van teritorije dr~ava članica EU. Ovaj osnov primene prevashodno se odnosi na strana diplomatska i konzularna predstavniatva, ali i na određene ostale situacije koje dovode do primene.
Primer 7: Nemačka ambasada u Rusiji je raspisala konkurs za zapoaljavanje administrativnih radnika koji će raditi na obradi podataka podnosilaca zahteva za privremenu radnu vizu. Iako Nemačka ambasada nije osnovana u EU, sama činjenica da je reč o ambasadi dr~ave EU, i da po pravilima međunarodnog javnog prava dolazi do primene prava Nemačke, a samim tim i pravila GDPR-a, pa će se to odnositi i na prikupljane ličnih podataka kandidata za pomenuti konkurs.
Primer 8: Austrijski avion leti preko teritorije Meksika pri čemu se prikupljaju podaci putnika kako bi se ocenio kvalitet usluge i slale posebne ponude avio kompanije za buduće letove. Iako se avion nalazi van teritorije EU, sama činjenica da je avion registrovan u Austriji je odlučujuća kako bi se na osnovu međunarodnog javnog prava zaključilo da treba primeniti pravo Austrije, a samim tim i GDPR.
Uticaj GDPR-a na zemlje van EU veoma je izra~en kroz zakonodavstvo zemalja kandidata za članstvo u EU, koje su donele zakone u ovoj oblasti, koji u velikoj meri odgovaraju uniformnim pravilima GDPR. Pravilima o proairenoj teritorijalnoj primeni izlazi se iz okvira Evrope i uticaj se dalje airi. `irokim načinom definisanja primene ostavljen je prostor za tumačenje, te je potrebno dodatno upotpuniti praksu kako bi se ustanovila pravila za svaku moguću situaciju. Nesporno je da je uticaj koji je izvraen velik i da on prevazilazi prostor starog kontinenta, ostaje da se vidi kolika će biti stvarna primena ovih odredbi, posebno onih kojima je određena obaveza imenovanja zastupnika u EU.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
