GDPR territorial scope
The European Data Protection Board publishes guidelines on the territorial scope of the GDPR.
The European Data Protection Board (EDPB) has recently published guidelines on the territorial scope of the GDPR, in order to clarify the cases where GDPR applies according to Article 3. Territorial scope of the GDPR is defined based on two main criteria: the “establishment” criterion (1) and the “targeting” criterion (2).
- -Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
The concept of establishment extends to any real and effective activity, even where it is minimal, exercised through stable arrangements. It may include activities carried out over the internet even if there is only one single employee or agent with presence in the Union, where he or she acts with a sufficient degree of stability.
“In the context of” involves all those processing activities taking place outside the Union that are inextricably linked to the activities of a local establishment in a Member state. “Inextricable link” is therefore the criterion to determine the application of the GDPR in the context of an establishment in the Union, but EDPB considers that it should be analysed on a case-by-case basis and additional elements like revenue-raising in the EU should also be taken into account.
EDBP underlines that a non-EU controller having a processor in the Union does not imply that such controller is processing data in the context of an establishment in the Union, because the processor merely provides a service, which does not qualify as activity “inextricably linked”.
- -Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, or the monitoring of their behaviour.
EDBP stresses the location of the data subject in the territory of the Union as the determining factor to be assessed at the moment when the relevant trigger activity takes place, while nationality or legal status of a data subject are not relevant to this extent. This criterion will not apply when the processing of personal data relates to an individual alone.
In addition, this criterion will only trigger the application of GDPR where the conduct on the part of the controller or processor clearly demonstrates its intention to offer goods or services to a data subject located in the Union, which would be ascertained based on some elements such the designation by name of a Member State with reference to the good or service offered, the use of EU search engines, the features of the marketing campaigns or the existence of specific addresses, telephone numbers, domain, currency or language for the EU.
- -Furthermore, GDPR will as well apply to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.