European Data Protection Board launches consultation on the territorial scope of the GDPR

When will processing by a data controller or data processor fall within the territorial remit of the GDPR?

The background

The European Data Protection Board (EDPB) has opened a consultation on draft guidelines on the territorial scope of the GDPR.  The territorial span of the GDPR is defined in Article 3 and is determined by two key criterion contained in Articles 3(1) and (2): the establishment criterion and the targeting criterion.  The aim of the proposed guidelines is to assist in determining the application of the territorial scope of the GDPR.  It is also intended to inform the process for the designation of representatives of non-EEA controllers and processors that target the EU.

The development

Article 3(1)

Article 3(1) states that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

This sets out a three part test, which the draft guidelines address:

1.  An Establishment in the EU

The EDPB states in Recital 22 that “an establishment implies the effective and real exercise of activities through stable arrangements”.  The guidelines note that the “legal form” of the arrangement is not the most significant factor and that even the presence of a sole employee or agent might be enough to satisfy this limb of the test.  Further, the threshold of “stable arrangements”, for where the activities of a controller relates to providing online services, is stated as “quite low”.  Importantly though, the guidelines specify that one cannot determine an “establishment” through solely having a website that is accessible in the EU.

2.  “In the context of the activities of” an establishment

The EDPB notes that the relevant processing does not have to be undertaken in the EU establishment for it to be caught by the GDPR.  It states that the processing of data in, for example, China would be “inextricably linked”, to the activities being undertaken in a Berlin establishment, if that establishment was set up to “lead and implement commercial prospection and marketing campaigns towards EU markets”, even where there is no data processing in the Berlin establishment.  Therefore, the Chinese processing would fall within the scope of the GDPR.

In order to determine the link, the EDPB sets out a two-stage test:

• whether personal data is being processed
• recognising whether there are links between the activity for which the data is being processed and the activities of the establishment in the EU.

  3.  Regardless of whether the processing takes place in the EU or not

  As outlined above, whilst location of the area of the establishment of the data controller or processor is important, the place of processing is not a considered factor in assessing if the processing falls within the territorial scope of the GDPR.
  
   Application of the “establishment criterion”
  
  

• The draft guidelines note that the GDPR does not necessarily apply to both a controller and a processor in all situations where there is a relationship between them.  A controller, that is based outside of the EU, but has a processor in the EU that processes data of non EU subjects, would not be subject to the GDPR.  However, as the processor is situated in the EU, they would be subject to the relevant provisions of Article 3(1) GDPR. 

  Article 3(2)

  Article 3(2) states that the “Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  (a)  the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  (b)  the monitoring of their behaviour as far as their behaviour takes place within the Union”.

  The EDPB advises a two-part test to assess the applicability:

  1.  Data subjects who are in the Union

  The EDPB states Recital 14, which explains that the targeting criterion applies to more than just citizenship or residence but also to when an individual is in the EU.  This must be evaluated at the time when the goods or services are being offered or behaviour is being monitored.

  2.  Offering goods or services … to such data subjects in the Union

  The guidelines note that the offering of information society services falls within the rule and that payment is not the deciding factor.  In order to be caught by this limb, the controller or processor must be offering their goods or services to data subjects situated in the EU.

  The guidelines state that each case will be considered on its own facts but also gives a number of factors which may indicate that a processor is “offering goods and services” to individuals in the EU such as: the use of a language or currency, mentions of clients who are in the EU, using an EU domain name or providing delivery services to the EU.

  OR

  2.  Monitoring of [data subjects’] behaviour

  Similar to the offering of goods and services, monitoring also must take place when the data subjects are in the EU.  The EDPB considers the following might be caught by Article 3(2)(b):

• behavioural advertisement
• geo-localisation activities, in particular for marketing purposes
• ·online tracking through use of cookie or other tracking techniques
• personalised diet and health analytics services online
• CCTV
• market surveys and other behavioural studies based on individual profiles
• monitoring or regular reporting on an individual’s health status.

The EDPB did, however, confirm that they would not determine that any data analysis or collection would automatically be considered as monitoring.

Representatives of non-EU Controllers and Processors

Data processors and controllers, who target the EU from outside of the EU, have a duty to designate a representative in the EU unless they are exempt under Article 27(2) GDPR.  This could be because they are a “public authority or body”, if the processing is “occasional” in accordance with Article 9(1) GDPR, or if the processing is “unlikely to result in a risk to the rights and freedoms of natural persons”.

Designation of a representative

Recital 80 states that “the representative should be explicitly designated by a written mandate of the controller or of the processor”.  This mandate will manage the requirements between the designated representative and the non-EU controller or processor.  The representative’s duties may be based on a contract with either an individual or a range of commercial bodies such as law firms, consultancies or private companies. 

The EDPA clarifies that the function of the representative is not compatible with the position of an external data protection officer (DPO), as a DPO must, in accordance with Article 38(3) and Recital 97, have a degree of autonomy and independence. 

The EDPA also highlights that the representative should be in the Member State that has the majority of the individuals whose data is being processed but also must remain easily accessible for other data subjects in other Member States whose data is being processed.

Obligations and responsibilities of the representative

Representatives must “facilitate the communication between data subjects and the controller or processor represented”.  In addition, in order to successfully achieve this, the representative must be able to communicate with both the individuals and authorities. 

The representatives with the controllers of processors have an obligation to ensure that a record of processing activities is maintained.  The EDPB further considers that representatives are liable to enforcement action such as fines and penalties.

Why is this important?

The guidelines will help companies to ascertain whether they have an establishment within the EU under Article 3(1), what types of “offerings of services and goods” and “monitoring” will be caught under Article 3(2) and if applicable, what responsibilities they and their designated representative will have to fulfil.  Given the substantial penalties that companies can face for not complying with the GDPR, it is important that data processors and controllers know whether they fall within the territorial scope of the GDPR so that they can make the relevant adjustments to be compliant.

Any practical tips?