GDPR territorial scope

The European Data Protection Board publishes guidelines on the territorial scope of the GDPR.

The European Data Protection Board (EDPB) has recently published guidelines on the territorial scope of the GDPR, in order to clarify the cases where GDPR applies according to Article 3. Territorial scope of the GDPR is defined based on two main criteria: the “establishment” criterion (1) and the “targeting” criterion (2).

  • -Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

The concept of establishment extends to any real and effective activity, even where it is minimal, exercised through stable arrangements. It may include activities carried out over the internet even if there is only one single employee or agent with presence in the Union, where he or she acts with a sufficient degree of stability.

In the context of” involves all those processing activities taking place outside the Union that are inextricably linked to the activities of a local establishment in a Member state. “Inextricable link” is therefore the criterion to determine the application of the GDPR in the context of an establishment in the Union, but EDPB considers that it should be analysed on a case-by-case basis and additional elements like revenue-raising in the EU should also be taken into account.

EDBP underlines that a non-EU controller having a processor in the Union does not imply that such controller is processing data in the context of an establishment in the Union, because the processor merely provides a service, which does not qualify as activity “inextricably linked”.

  • -Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, or the monitoring of their behaviour.

EDBP stresses the location of the data subject in the territory of the Union as the determining factor to be assessed at the moment when the relevant trigger activity takes place, while nationality or legal status of a data subject are not relevant to this extent. This criterion will not apply when the processing of personal data relates to an individual alone.

In addition, this criterion will only trigger the application of GDPR where the conduct on the part of the controller or processor clearly demonstrates its intention to offer goods or services to a data subject located in the Union, which would be ascertained based on some elements such the designation by name of a Member State with reference to the good or service offered, the use of EU search engines, the features of the marketing campaigns or the existence of specific addresses, telephone numbers, domain, currency or language for the EU.

  • -Furthermore, GDPR will as well apply to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

ICO strengthens commitment to technology and innovation

ICO strengthens commitment to technology and innovation with appointment of new executive director

ICO’s commitment to technology and innovation while protecting people’s privacy has been strengthened with a high-profile appointment. Simon McDougall is joining the ICO as Executive Director for Technology Policy and Innovation – leading new approaches to information rights practice and promoting the legally compliant processing of personal data as a core element of new technologies and business systems.

Mr McDougall is currently Managing Director of Promontory – a risk management and regulatory compliance consulting firm acquired in 2016 by IBM, where he founded and led a global privacy practice. He has extensive experience of working across a wide range of sectors and jurisdictions on privacy, compliance, digital initiatives and innovation.

He is a well-known international figure in the world of information rights, serving on the Board of Directors and the European Advisory Board at the International Association of Privacy Professionals (IAPP) along with many other consultative and advisory groups.

Mr McDougall said: “I am honoured to have the opportunity to join the ICO and lead their work in this critical area. Technological change continues to accelerate, and it is vital that the ICO remains constructively and robustly engaged as organisations innovate in the use of personal data.”

Technology is a key area for the ICO, as demonstrated by the following:

  • The publication of our first Technology Strategy, outlining how the ICO will adapt to technological change as it impacts information rights and how we’ll plan ahead for the arrival of new technologies. It explains our eight technology goals and how we intend to achieve them.
  • Making artificial intelligence (AI) one of our top three priorities for 2018/19. This includes a new Technology Fellowship programme with a two-year post-doctoral appointment to investigate and research the impact of AI on data privacy. Our updated, award winning paper on AI, Big Data and Machine Learning has been key in highlighting many of the issues and challenges facing society.
  • Plans for a regulatory ‘sandbox’ to enable organisations to develop innovative products and services while benefitting from advice and support from the ICO. We intend to consult on implementation this year.
  • Adding cyber incidents as a sixth strategic goal in the ICO’s Information Rights Strategic Plan.

Elizabeth Denham, Information Commissioner, said: “We have ambitious plans for our work in the crucial area of technology and also to ensure we are an innovative regulator, open to new ideas and new ways of doing things. As a globally respected figure in the world of privacy and innovation, Simon is a great fit for this new role, which will strengthen our expertise and responsiveness to new challenges and opportunities.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

Zoe Wong on Depop user community and its privacy awareness

As part of our interviews with clients, this time we are with Zoe Wong, director of Finance and operations of Depop, who will be talking to us about the community of users on its platform, how it has evolved and the perception of these in relation to privacy.

1. Why is Depop unique? To an outsider, it might look like a mixture of Instagram and eBay but there is more to it, correct?

Depop  has a very unique community of young creatives, so the items found on our platform are often unique pieces with their own story behind them. Depop has become, not just a place to buy and sell, but it has also offered young people an alternative career path – many are now full-time Depop sellers and start their own business. The Instagram-like marketplace means that it’s become more than just about shopping, the social element means that users also come to Depop to discover and connect with like-minded individuals.tividad, lo que implica que es una experiencia que va más allá de la venta; el componente social permite a los usuarios conectar con personas similares que comparten los mismos intereses e inquietudes.

2. Your target generation of consumers that have grown up with social media may be less concerned about online privacy than the previous ones. Is that really the case, or do they simply perceive privacy differently?

I think that our users are very aware, but they definitely have a different perception around online privacy. In the past, users may have been more concerned with things like identity security but in the age of social media, users are less concerned about putting their details on a public profile but more aware of how their data is being used and whether it’s being sold. They’re much more aware of their rights and they’re not afraid to challenge companies on their activities – I think it’s a fascinating evolution that will change how companies view transparency & social responsibility.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

UK data protection bill and GDPR data protection officer

UK Data Protection Bill and GDPR

We are often asked by clients and prospects what happens to UK data protection laws after Brexit? Our regular answer ‘not much’ has proven to be correct: the proposed UK Data Protection Bill and GDPR are meant to be aligned with each other.

UK data protection bill and GDPR data protection officer

Indeed, anything else would put UK businesses at a disadvantageous position in terms of not being able to exchange data freely with the EU after Brexit. And keep in mind this is one of the easy areas, where Brexit negotiations results might not matter all that much: once UK laws are as favourable to individuals as the GDPR, European Commission is likely to allow unrestrained data exports to the UK regardless of any new EU-UK relationship.

Harsher penalties

The new UK Data Protection Bill and GDPR are aligned when it comes to penalties, one of the GDPR’s underlying new policies potentially targeting international web giants: maximum penalties £17 million or 4 % of global turnover resemble €20 million and the same percentage of the GDPR.

Obtaining consent becoming more difficult

UK Data Protection Bill and GDPR both put focus on consent for personal data processing, which is no longer a formal, box-ticking exercise. Issues such as easy withdrawal of consent, children’s consent or consent to process sensitive personal data are all the focus of both the UK Government and GDPR. Children and adults may also choose to be ‘forgotten’ by social media platforms.

Broader definition of personal data

In the same way as some other EU countries have already done, UK Data Protection Bill is expanding the definition of ‘personal data’ to include IP addresses. This is so because ISPs and other entities can easily identify and trace individual users when they know their IP addresses. Furthermore, the definition would expressly include internet cookies and DNA.

Aphaia specialises in helping organisations with their GDPR adaptation plus acts as outsourced Data Protection Officer in line with the GDPR requirements.