The European Data Protection Board (EDBP) recently adopted Guidelines concerning the territorial scope of the GDPR (Article 3)

The European Data Protection Board (EDBP) recently adopted Guidelines concerning the territorial scope of the GDPR (Article 3)

Introduction

The European Data Protection Board (EDBP) recently adopted Guidelines concerning the territorial scope of the GDPR (Article 3), which can be difficult to assess when controllers or processors are located outside the EU. The Guidelines also adresses the issue of the European representative that shall be designated when data subjects are located inside the EU while the processor or controller are not (Article 27). The following article aims to give an overview on the guidelines, following the same structure than the EDPB. 

  1. Territorial Scope of the GDPR (Article 3)

Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criterias:-the “establishment” criterion, as per Article 3(1) and the “targeting” criterion as per Article 3(2). 

Establishment criterion (Article 3(1)). 

Article 3(1) provides that the GDPR applies to « the processing by a controller or processor carried out in the context of the activities of an establishment of that controller or processor in the Union, regardless of the actual place of the processing ». 

The EDPB recommends to adopt a threefold approach to assess whether the processing falls within the scope of Article 3(1).

  1. In the first place, the presence of an ‘establishment’ in the EU within the meaning of EU data protection lawmust be determined. 

As the GDPR does not provide a definition of “establishment” for the purpose of Article 3, EDPB refers to  Recital 225 which clarifies that an establishment implies two aspects: 

  1. An effective and real exercise of activities 
  2. These activities must be exerciced through a stable arrangements.

A stable arrangement doesn’t require a specific legal form: it can be a branch, a subsidiary with a legal personality, a representative, or an employee. The EDPB however deems that neither a processor in the EU, neither the European Representative, should be considered to be an establishment of a data controller within the meaning of Article 3(1). 

Interestingly, the EDPB mentions that the threshold for a “stable arrangement ” can actually be quite low when the centre of activities of a controller concerns the provision of services online. It also states that it is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union. 

  • In the Second place, data processing must be in the context of the activities of the establishment in the Union

To adress this point, the EDPB recommends to carry out a case-by-case analysis. The EDPB however refers to two factors to assess wheter the processing is being carried out in the context of the activities of the establishment. 

Firstly, if a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller/processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data. Secondly,  the existence of revenue raising in the Union can also be taken into account. 

  • is carried outside or inside the Union. 

In fact, geographical location is not important for the purposes of Article 3(1) with regard to the place in whichprocessing is carried out, or with regard to the location of the data subjects in question.

To makes things clearlier, EDPB gives some examples of the application of the establishment criterias.  Notably, an e-commerce website operated by a company based in China with processing activities exclusively carried out in China and with an established office in Berlin whose role is to lead and implement commercial prospection towards EU markets, will have to respect the GDPR because the activities of the European office in Berlin are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website. 

            Establishment criterion in the Controller and Processor Relation

The EDPB also raises the question of the Establishment criterias regarding the processor/controller relation. The EDPB emphasises that it is important to consider the establishment of the controller and processor separately when determining whether each party is of itself ‘established in the Union’.

Let’s suppose a controller established in the EU instructs a processor not established in the Union. In that case where a controller subject to GDPR chooses to use a processor located outside the Union for a given processing activity, it will still be necessary for the controller to ensure by contract or another legal act that the processor processes the data in accordance with the GDPR.The processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements under Article 28. 

In the other way, the EDPB considers that the processing activities of the data controller would not fall under the territorial scope of the GDPR merely because it is processed on its behalf by a processor established in the Union. In fact, by instructing a processor in the Union, the controller not subject to GDPR is not carrying out processing “in the context of the activities of the processor in the Union” : the processor is merely providing a processing service which is not inextricably linked  to the activities of the controller. 

The EDPB also confirms that in the absence of an establishment in the Union, a controller or processor cannot benefit from the one-stop shop mechanism provided for in Article 56 of the GDPR. Indeed, the GDPR’s cooperation and consistency mechanism only applies to controllers and processors with an establishment, or establishments, within the European Union. 

Targeting Criterion  (Article 3(2))

Article 3(2) of the GDPR provides that “this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

In addition to being applicable only to processing by a controller or processor not established in the Union, the targeting criterion largely focuses on what the “processing activities” relate to,  which is to be considered on a case-by case basis. 

The EDPB therefore recommends to follow a twofold approach in order determine: 

  1. s to personal data of data subjects who are in the Union

The application of the targeting criterion is not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed (Recital 14 of the GDPR). 

The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken. 

Importantly, the EDPB considers that the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR. 

For example,  an Australian company offering a mobile news and video content service based preferences and interest  to users exclusively located in Australia, will not ne subject to the GDPR on the sole basis that  anAustralian subscriber can still use of the service when he travels to Germany. Although the Australian subscriber will be using the service while in the EU, the service is not ‘targeting’ individuals in the Union, but targets only individuals in Australia. 

  • s to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union

The fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of « targeting » individuals in the EU must always be present in addition. The targeting car either take place: 

The EDPB considers that the intention of the processor or controller  to direct its offer of goods or services to a data subject located in the Union must be demonstrated. To do so, EDBP directly refers to recital 23 of the GDPR and to the ECJ Case law (in particular Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Hellerand enumerates a list of factors which, on a case by case analysis,  ascertain the controller’s intention. Notably, a combination of several of the following factors may demonstrate the required intention: 

– The EU or at least one Member State is designated by name with reference to the good or service offered; 

– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience 

– The international nature of the activity at issue, such as certain tourist activities;

– The mention of dedicated addresses or phone numbers to be reached from an EU country; 

– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

 – The description of travel instructions from one or more other EU Member States to the place where the service is provided; 

– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;

 – The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;

 – The data controller offers the delivery of goods in EU Member States.

EDPB however importantly recalls that that the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, will be insufficient to demonstrate the controller or processor’s intention to target customers in the UE. 

Again, EDPB provides some examples of the application of the Targeting criteria. Notably, while human resources management, including salary payment by a third-country company, cannot be considered as an offer of service within the meaning of 3(2) as the processing at stake does not relate to the offer of goods or services to data subjects in the Union,  the processing carried out by a Turkish website which offers services for the creation, editing, printing and shipping of personalised family photo albums,  available in English, French, Dutch and which accepts in Euros, falls under the scope of the GDPR.

The second targeting activity triggering the application of the GDPR under Article 3(2)(b) is monitoring of the behaviour of the data subjects.  The monitored behavior must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union. 

As opposed to targeting through offer and services, it is not necessary to prove the controller’s intention to target in order to determine whether the monitoring activity triggers the application of the GDPR to the processing activities.  However, The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU automatically counts as “monitoring”. 

To assess wheter the processing involves monitoring of a data subjecct behavior, The EDPB takes into account the wording of Recital 24 of the GDPR which indicates that the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration. The EDPB even goes further than the Recital by considering that monitoring also relates to tracking through other types of network or technology involving personal data processing, for example wearable and other smart devices. 

The application of Article 3(2)(b) could therefore encompass a broad range of monitoring activities engaged by the controller or processor, including in particular: 

– Behavioural advertisement 

– Geo-localisation activities, in particular for marketing purposes 

– Online tracking through the use of cookies or other tracking techniques such as fingerprinting 

– Personalised diet and health analytics services online 

– CCTV

– Market surveys and other behavioural studies based on individual profiles 

– Monitoring or regular reporting on an individual’s health status

EDPB also raises another important point.  As The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be made by an entity acting as a controller. However, a processor may also actively take part in processing activities related to carrying out the targeting criteria (notably if the processor offers goods or services or carries out monitoring actions on behalf of, and on instruction from, the controller). According to EDPB, If there is a connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller, then the processor will fall under the GDPR, even if he is not established in the Union. 

A good example provided by the EDPB, would be the following:  A US company has developed a health and lifestyle app, allowing users to record with the US company their personal indicators (sleep time, weight, blood pressure, heartbeat, etc…), in order to provide them with daily recommendations. The processing is carried out by the US data controller, and the app is made available to individuals in the Union. The US company uses a cloud service provider processor established in the US for the purpose of data storage.   To the extent that the US company is monitoring the behaviour of individuals in the EU, in operating the health and lifestyle app it will be ‘targeting’ individuals in the EU. Therefore, its processing of the personal data of individuals in the EU will fall within the scope of the GDPR under Art 3(2).  In carrying out the processing on instructions from the US company, the cloud provider/processor is carrying out a processing activity ‘relating to’ the targeting of individuals in the EU by its controller. This processing activity by the processor on behalf of its controller will also fall within the scope of the GDPR under Art 3(2).

Article 3.3 

According to Article 3(3), the GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.  Recital 25 in that respects refers to Member State’s diplomatic mission or consular post.

According to EDPB, A Member State’s diplomatic or consular post, as a data controller or processor, would then be subject to all relevant provisions of the GDPR, including when it comes to the rights of the data subject, the general obligations related to controller and processor and the transfers of personal data to third countries or international organisations.

The following examples clarifies the provision. 

-If the Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data, as per Article 3(3).µ

– A German cruise ship travelling in international waters is processing data of the guests on board for the purpose of tailoring the in-cruise entertainment offer. While the ship is located outside the Union, in international waters, the fact that it is German-registered cruise ship means that by virtue of public international law the GDPR will apply to its processing of personal data, as per Article 3(3).

  • of controllers or processors not established in the union

The Guidelines also adresses the European Representative which controllers or processors subject to the GDPR under Article 3(2) have to designate in order to comply with the Regulation, unless they meet the exemption criteria as per Article 27(2). The EDPB notably provides guidance on the designation process of the Reprentative, and recalls the following points: 

-The Representative shall be desginated by a written mandate which govern the relations and obligations between the representative in the Union and the data controller or processor established outside the Union (Recital 80). 

-The function can be exerciced by a wide range of commercial and non-commercial entities such as law firms, consultancies, private companies, etc… provided that such entities are established in the Union.

-The representative can exercices its function in the Union based on a service contract concluded with an individual or an organisation. 

-One representative can act on behalf of several non-EU controllers and processors. 

-The EDPB recommends that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented.

-The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) established in the Union, as it would not guarantee the independancy and autonomy of the DPO. 

-The representative must be established in one of the Member States where the service offered is available.  The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed, and that the place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative.

-The EDPB recalls that, in accordance with Articles 13(1)a and 14(1)a, controllers shall provide data subjects information on the identity of their representative in the Union. 

The EDPB also adresses the derogation from the mandatory designation of a representative in the Union, which apply in two distinct cases (Article 27(2)): 

  1.  processing activity is occasional and does not include on a large scale processing of datas refered in Article 9(1) and Article 10. 

According to EDPB, “occasional” means that the processing is not carried out regularly and occurs outside the regular course of business or activity of the controller or processor. Moreover, the following factors may be considered to determine wheter the processing is carried out “on a large scale”: 

– the number of data subjects concerned,  either as a specific number or as a proportion of the relevant population

– the proportion of the relevant population

-the volume of data and/or the range of different data items being processed; 

-the duration, or permanence, of the data processing activity;

-the geographical extent of the processing activity.

The EDPB makes sure to highlight that the exemption from the designation obligation refers to processing  “unlikely to result in a risk to the rights and freedoms of natural persons”, considering 

both the likelihood and severity of the risk (considérant 75). 

  •  processing is carried out “by a public authority or body”. 

The EDPB states that the qualification as a “public authority or body” for an entity established outside the Union needs to be assessed by supervisory authorities on a case by case basis. It also states that the application of this derogation is likely to be limited as, given the usual nature of their tasks and missions, cases where a public authority or body in a third country would be offering goods or services to data subject in the Union, or monitor their behaviour taking place within the Union, should be rare. 

The Guidelines also adresses the responsibilities of the representative in the Union as per Article 27. In fact, the representative in the Union acts on behalf of the controller or processor it represents with regard to the controller or processor’s obligations under the GDPR. 

Even if the representative is not responsible for complying with data subjects rights, it must facilitate the communication between data subjects and the controller or processor represented.

The reprensative shall also maintain a record of processing activities under the responsibility of the controller or processor, and keep up-to-date this record with the information the controller/processors outside the Union provides to him. It is its own responsibility to be able to provide it in line with Article 27, e.g. when being addressed by a supervisory authority according to Art. 27(4). 

The Representative should also cooperate with the competent supervisory authorities with regard to any action taken to ensure compliance with the GDPR, and shall be able to facilitate any communication between a requesting supervisory authority and a controller or processor established outside the Union. 

The EDBP recalls that the GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the UnionThe possibility to hold a representative directly liable is limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.  However, a supervisory authority may address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative, in accordance with articles 58(2) and 83 of the GDPR.

The EDPB furthermore highlights that article 50 of the GDPR aims at facilitating the enforcement of legislation in relation to third countries and international organisation, and that the development of further international cooperation mechanisms in this regard is currently being considered.

Conclusion

Those Guidelines will definitely help data protection professionnals or even controllers and processors to assess whether they have to comply with the GDPR.  Throughout the whole Guidelines, the EDPB makes sure to underline that these statement are without prejudice to the application of national rules. EDPB also states that it will further assess the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V, and that additional guidance may be issued in this regard.