To address this fundamental question, the EDPB published, on 12 November, the final version of the Guidelines on the territorial scope of the General Data Protection Regulation (almost a year after the draft version we analysed here), with the ambitious purpose of trying to clarify the GDPR’s ever-growing scope of application. Given the consequences of being subject to the GDPR, from a legal and operational point of view, the publication of these Guidelines was eagerly anticipated. Additionally, this final version of the guidelines address some issues that were still open when the draft version of the same was published (e.g., applicability of the GDPR to non-EU processors, liability regime of representatives, etc.).
First Approach to the Guidelines
Before analysing the main criteria established in the GDPR regarding its territorial scope of application, it is of utmost importance to highlight that the application of the GDPR must be analysed on a processing by processing basis. That is, certain processing of personal data by a controller might fall within the scope of the GDPR, while others might not. This means that GDPR does not apply to a legal entity or individual as a whole, but only to the specific data processing activities satisfying either of the GDPR’s criteria below:
Where a controller or processor is not subject to the GDPR under the establishment criterion, the targeting criterion would be analysed to see if the controller or processor is subject or not to the GDPR.
A) The Establishment Criterion (Art. 3.1 GDPR)
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
(Emphasis added)
If we dissect this criterion, the following conclusions can be reached:
- It applies to both controllers and processors. However, the mere fact of establishing a controller-to-processor relationship in which either party is based in the EU is not enough for both parties to apply the GDPR. Having an EU processor does not necessarily qualify as having an establishment in the EU. We analyse both possibilities below:
- Non-EU Controller – EU Processor: the EU processor will be subject to all obligations that the GDPR provides for processors. Nevertheless, the non-EU controller would not be automatically subject to the GDPR and further assessment would be required to determine the applicability of the GDPR.
- EU Controller – Non-EU Processor: Apart from complying with all obligations that the GDPR provides for controllers, the EU controller would have to enter into a data processing agreement with the non-EU processor and, as the case may be, take due safeguards upon the international transfer of data. Through this agreement, which must provide for certain mandatory content under art. 28 GDPR, the non-EU processor would be quite tied up by GDPR obligations. This is without prejudice to the possibility that the GDPR applies to the non-EU processor, something to be assessed on a case-by-case basis.
- The meaning of “establishment”. This is a very broad concept as it just implies “the effective and real exercise of activity through stable arrangements”. That is, the legal form or structure of the “stable arrangement” (e.g., a branch, a subsidiary, etc.) is not relevant. This entails assessing on a case by case basis whether having certain employees, branches, agents, or even a mere data processor in the EU could be enough to be deemed an establishment. Of course, merely having a website that happens to be accessible in the EU is not enough to be construed as an establishment.
- The meaning of “in the context of the activities of an establishment”. Again, another broad concept. However, the EDBP provides for two factors to try to help determining whether a processing is being carried out in the context of a EU establishment: (i) where the data processing activities of the non-EU entity are inextricably linked to the activities of the EU establishment (even where the local establishment is not actually taking any role in the data processing itself or carries out a different business activity); and (ii) revenue is raised by the EU establishment.
- The place in which the data processing actually takes place is not relevant for these purposes.
B) The Targeting Criterion (Art. 3.2 GDPR)
“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
(Emphasis added)
Where the establishment criterion does not apply, the targeting criterion must be assessed. It is also worth noting that, where there is no establishment in the EU, the One-Stop Shop rule[1] would not apply. If we dissect this article, the following conclusions can be reached:
- “Data subjects who are in the Union”. That is, citizenship or nationality is not an issue (see Recital 14 GDPR). Data subjects must be located in the EU and the controller must intentionally direct its processing activities towards them. Processing activities carried out inadvertently or incidentally over data subjects “passing through” the EU would not be subject to the GDPR under this criterion. The business activity of the controller must purposely focus to the EU either by offering goods or services, or by monitoring behaviours.
- “the offering of goods or services”. In order to ascertain if goods or services are actually addressed to data subjects in the EU, special attention must be taken to hints pointing to this fact. As detailed in Recital 23 GDPR: “the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union”. Price or payment for the goods/services is not relevant for this purpose.
- “the monitoring of their behaviour as far as their behaviour takes place within the Union”. As explained in Recital 24 GDPR, “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”. Although it focuses on the tracking on the internet, it also covers other types of tracking systems (e.g., via wearables and other smart devices). Monitoring of behaviours includes, among others, behavioural advertisement, geo-localisation activities for marketing purposes, CCTV, personalised diet, health analytics services online, etc.
Note that, where article 3.2 GDPR applies, a representative in the EU must be appointed. In particular, such representative must be established in one of the Member States where the affected data subjects are.
The Guidelines clarify certain aspects of this element that were missing in the previous draft, as follows:
- A representative cannot be appointed as the data protection officer of the company mainly because the nature of both roles are incompatible (e.g., Data protection officers must be able to perform their duties in an independent matter and a representative is subject to a mandate by the controller or processor and therefore under the controller’ or processor’ instructions);
- The appointment of a representative does not affect the responsibility and liability of the controller or processor. However, the representative can be hold directly liable for its direct obligations referred to in articles 30 and 58(1) GDPR; and
- The representative has certain functions and responsibilities that must be complied (e.g., facilitate the exercise by data subjects of their data protection rights; maintain a record of processing activities; cooperate with supervisory authority; etc.).
Processors not established in the EU under the Targeting Criterion
Finally, it is quite interesting how the final version of the Guidelines finally answer the doubts surrounding the application of the GDPR to non-EU Processors under the targeting criterion. In this case, the assessment focuses on whether the processing activities by the processor “are related” to the targeting activities of the controller.
This means that, where a controller is subject to the GDPR based on the targeting criterion, any processor instructed to carry out that processing activity on behalf of the controller will also fall within the scope of the GDPR in respect of that processing. Of course, this is no obstacle for the processor directly applying the targeting criteria by addressing their own clients (i.e., data subjects) in the EU.
Three questions companies may be asking themselves
[1] The One-Stop Shop rule means that, as a main rule, organisations carrying out cross-border (i.e., in more than one EU or EEA state) personal data processing activities, may only deal with one supervisory authority for most of such cross-border processing operations.
Authored by Victor Mella and Santiago de Ampuero