November 30, 2018Client Alert

EDPB Issues Guidance on Territorial Scope of GDPR

One of the most frequent questions we get from companies outside the European Union (EU) is territorial scope of application for the General Data Regulation (GDPR). Given the consequences at stake it is understandable that companies want to fully understand the laws application. Help has arrived. On November 23, 2018, the European Data Protection Board (EDPB) adopted new draft guidelines to provide clarity on the territorial scope of GDPR.

The Guidelines provide clarity on the scope of application of the GDPR and are available for consultation until January 18, 2019. Given that Article 3 defines territorial scope using two main criteria, “Establishment” and “Targeting,” the guidelines appropriately focus on whether an entity is “established” in the EU and the “targeting criterion” for entities outside of the EU.

GDPR governs controllers and processors established in the EU

Article 3(1) of GDPR focuses on entities established in the EU. It provides that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the [EU], regardless of whether the processing takes place in the [EU] or not.”

The guidelines confirm that GDPR can apply to either the controller or processor or both. Importantly, the Guidelines emphasize that it is important to consider the establishment of the controller and processor separately. In doing so, the Guidelines clarify two different scenarios: 

(1) EU processor/Non-EU controller – a non-EU controller working with a processor established in the EU, for activities outside of the EU, and not targeting EU residents does not have to comply with GDPR. Rather, the EU processor would be subject to GDPR directly applicable to data processors.

(2) EU controller/Non-EU Processor – although not established in the EU when an EU controller uses a non-EU processor, the processor may become indirectly subject to GDPR obligations imposed on the EU controller by virtue of the contractual arrangements under Article 28. As such, the Guidelines clarify that a non-EU entity responsible for data processing can still fall within the scope of GDPR even if it does not have a branch or subsidiary in the EU.

Therefore, whether a non-EU entity is “established” in the EU requires an analysis of its stability of arrangements and its activity within the EU. However, the guidelines assure organizations that a non-EU entity does not have an establishment in the EU merely because the undertaking’s website is accessible in the EU.

GDPR reaches non-EU controllers and processors that target individuals in the EU

As noted above, a controller or processor not established in the EU could still fall within the scope of the GDPR, and this analysis is guided by Article 3(2)’s targeting criterion. Article 3(2) of the GDPR provides that “this Regulation applies to the processing of personal data of data subjects who are in the [EU] by a controller or processor not established in the [EU], where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [EU]; or (b) the monitoring of their behaviour as far as their behaviour takes place within the [EU].” 

This targeting criterion was considered one of the novelties of GDPR. Thus, article 3(2) can be triggered by two types of activities carried out by a controller or processor not established in the Union: (1) offering goods or services to individuals within the EU or (2) monitoring their behavior. The EDPB therefore recommends a twofold approach: first determine if the processing relates to personal data of data subjects who are located in the European Union, and second whether it relates to the offering of goods or services or to the monitoring of data subjects’ behavior in the European Union.

In addressing the targeting criterion the EDPB clarified that it applies to data subjects “located” in the EU. The citizenship, residence or other legal status of the data subject is irrelevant. Rather, you look at where the subject was physically located when the relevant triggering activity takes place (e.g. moment of offering goods or services).

The Guidelines list factors to be considered in determining whether goods and services are being offered to EU data subjects and whether subjects’ behavior is being monitored:

(1) “Offering goods or services”

Importantly, the Guidelines also note mere accessibility of the controllers, processor’s, or intermediary’s website in the EU, address, telephone number without an international code, does not, of itself, demonstrate the controller or processor’s intention to offer.

  • Designating the EU or a Member State by name with reference to the good or service offered;
  • Paying a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union;
  • Directing marketing and advertisement campaigns at an EU country audience; and
  • Using specific domain names, such as “.de,” other than that of the third country in which the controller or processor is established;

Importantly, the Guidelines also note mere accessibility of the controllers, processor’s, or intermediary’s website in the EU, address, telephone number without an international code, does not, of itself, demonstrate the controller or processor’s intention to offer.

(2) “Monitoring of data subjects’ behavior”

Behavior monitored must first relate to a data subject in the EU and, as a cumulative criterion, the monitored behavior must take place within the territory of the EU. “Monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data. The Guidelines list activities, among others, that may be viewed as examples of “monitoring”:

  • Tracking of a person on the internet through their behavior;
  • Tracking through other types of network or technology involving personal data processing, for example through wearable and other smart devices;
  • Behavioral advertisement;
  • Geo-localization activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioral studies based on individual profiles; and
  • Monitoring or regular reporting on an individual’s health status.

The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring.” It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data.

Designating an EU representative for a Non-EU establishment

Finally, the EDPB reiterated that data controllers and processors established outside the EU, but subject to GDPR, are required to designate a representative in the EU, unless exempted under Article 27. One interesting note is that EDPB asserts that the EU representative may not be the Data Protection Officer (DPO). In doing so, the EDPB reasons that the requirement for a sufficient degree of autonomy and independence of a DPO does not appear to be compatible with the function of the representative in the EU. 

Although several questions still remain, the Guidelines prove to be a very welcome and helpful document which clarifies a number of previously unanswered questions. Given that consultation remains open further refinement and fine-tuning are to be expected.

We encourage you to contact Michael Best’s Privacy & Cybersecurity Team with all questions concerning the EDPB Guidelines and the territorial scope of GDPR.

back to top