Our friends at Fieldfisher have published a clear explanation of the new draft Guidelines for Territorial Scope under GDPR.
Does the EDPB answer frequently asked questions on territorial scope?
The European Data Protection Board (EDPB, the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation (GDPR); namely, Article 3 on territorial scope.
Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.
The Guidelines 3/2018 on the territorial scope of the GDPR adopted on 16 November 2018 (Guidelines) seek to answer some of those concerns.
The EDPB was somewhat delayed in issuing this much trumpeted document. It was supposedly agreed in principle (subject to legal checks) at its plenary meeting over three months ago. Perhaps those legal checks found some issues since it wasn't until the next plenary meeting (on 16 November) that the document was issued.
Thankfully, it was worth the wait – since there is some valuable guidance for those trying to navigate difficulties inherent in the drafting of Article 3.
Before turning to the Guidelines it is worth recapping Article 3. It is in two (main) parts:
Article 3(1) (the "establishment" criteria) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU.
Article 3(2) (the "targeting" criteria) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the EU ("targeting by selling") and (ii) those who monitor the behaviour of individuals in the EU ("targeting by monitoring").
We are an EU company, does GDPR apply to us?
Of course. Any entity incorporated or registered within the EU is of course "established" there.
My company is incorporated in, say, Mexico, but I have a branch or office in the EU - does GDPR apply?
Very likely, yes. Whilst "establishment" is not in fact defined, Recital 22 makes clear that
“[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect"
The Guidelines reiterate this. What is important is that there is some permanent ("stable") presence, and a branch office of a non-EU company will generally fulfil this requirement. Indeed, the Guidelines suggest that a mere one person or agent may be enough to indicate such presence.
My company is a processor and incorporated in the EU, but all customers are non-EU entities – does GDPR apply?
According to the Guidelines, GDPR applies to the processor (subject to the data being processed "in the context" of the establishment) since the processor is indeed established in the EU. It is irrelevant that the controller is not in the EU for the purposes of the processor's compliance. However, using a processor in the EU does not, automatically, make the non-EU controller subject to GDPR. See below!
We are a controller, but not in the EU. However, we do have an EU sales affiliate, but that entity does not actually process personal data itself – so presumably we are both outside of scope?
Not necessarily. The Guidelines support and restate the decisions of the Court of Justice of the European Union that it is possible even for non-EU entities to be "established" in the EU.
The processing need not be by the entity which has an establishment in the EU (in this example, the EU sales affiliate); GDPR will apply to any entity involved if the processing is "in the context" of the establishment in the EU.
This is the same outcome as in the Google Spain case. All that is required is an "inextricable link" between the non-EU entity and the EU establishment. If that exists, then in effect the EU affiliate is also an establishment of the non-EU entity – and GDPR applies to the non-EU entity even if the EU affiliate plays no actual role in processing. The EDPB makes clear that the language in Article 3(1) must be understood in the context of that decision (and other decisions such as Weltimmo).
My company is established in the EU, but we only sell to individuals out of the EU – does GDPR apply?
Yes. The processing of the data about individuals is in the "context of the establishment" of your company, the controller, in the EU. The Guidelines reiterate that it is irrelevant that the data subjects are not in the EU. GDPR is in this respect "nationality blind".
The Guidelines give an example of a French company selling to individuals in North Africa – GDPR applies.
We are an EU company but outsource all our processing activities to entities outside of the EU
GDPR still applies. The processing remains in the context of the EU establishment. The location of the actual processing is irrelevant.
We are a processor outside of the EU, but our customers are within the EU
GDPR does not directly apply to the processor. This is a situation where it had been possible to read Article 3(1) as extending GDPR to the non-EU entity only because it services EU controllers. The Guidelines helpfully end this line of interpretation.
Whilst GDPR does not directly apply to the processor, the Guidelines emphasise the indirect application through Article 28. The controller within the EU is obliged to ensure (under Article 28) that certain data protection obligations are accepted by the processor under contract.
We are a controller outside of the EU, but we are using an EU processor
GDPR does not apply to the controller simply because it chooses to use a processor in the Union.
This is also helpful from EDPB as, again, it is possible to read Article 3(1) more widely (that the processor being within the EU was sufficient to make the controller subject to GDPR).
The Guidelines clarify that such a controller is outside of scope of GDPR on the "establishment" criteria (but of course if EU citizens' data is processed then Article 3(2) might apply). The EU processor, however, will be subject to the GDPR (see above).
We are that EU processor (our customer is outside the EU), do we have to comply with all parts of GDPR?
There was a worry that if the customer was not subject to GDPR, that the processor might be responsible for such things as ensuring a legal basis and other controller responsibilities (since no other entity was within the EU).
The Guidelines (again) helpfully make clear that the processor only has to comply with processor obligations.
We are NOT an EU company, so GDPR does not apply to us
No. If you are established outside the EU, you may still be caught by the GDPR under article 3(2). Keep reading.
We are outside the EU and selling goods and services into the EU
Yes, clearly, under Article 3(2) it is enough for you to be targeting your goods or services in the EU (see further below on "targeting").
But our services are only targeted to non-EU nationals (the diaspora of our country)
Again, GDPR is nationality blind. The Guidelines make clear that presence in the EU is enough.
OK, but we are only providing our service to US tourists whilst on vacation in the EU
This depends on whether there is targeting towards those individuals whilst in the EU or if the fact that they are within the EU is only incidental. If the key feature is to provide the service to individuals because they are within the EU, then GDPR will apply and the fact that they are only there temporarily is irrelevant.
But if the tourists just happen, say, to read a US news website whilst in the EU, that will not make that site subject to GDPR. This is in fact an example given by the EDPB and perhaps inspired to prevent some well publicised US news companies from geo-blocking EU visitors because of GDPR (see a BBC news story here).
We provide our online services from outside the EU to individuals within the EU but do not charge for them
The Guidelines reiterate that the fact that a service is free is irrelevant. GDPR will still apply if services are targeted to them.
OK, then what is meant by "targeting"?...
Read The Full Article