Does the EDPB answer frequently asked questions on territorial scope?
The European Data Protection Board (EDPB, the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation (GDPR); namely, Article 3 on territorial scope.
Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.
The Guidelines 3/2018 on the territorial scope of the GDPR adopted on 16 November 2018 (Guidelines) seek to answer some of those concerns.
The EDPB was somewhat delayed in issuing this much trumpeted document. It was supposedly agreed in principle (subject to legal checks) at its plenary meeting over three months ago. Perhaps those legal checks found some issues since it wasn't until the next plenary meeting (on 16 November) that the document was issued.
Thankfully, it was worth the wait – since there is some valuable guidance for those trying to navigate difficulties inherent in the drafting of Article 3.
Before turning to the Guidelines it is worth recapping Article 3. It is in two (main) parts:
Article 3(1) (the "establishment" criteria) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU.
Article 3(2) (the "targeting" criteria) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the EU ("targeting by selling") and (ii) those who monitor the behaviour of individuals in the EU ("targeting by monitoring").
We are an EU company, does GDPR apply to us?
Of course. Any entity incorporated or registered within the EU is of course "established" there.
My company is incorporated in, say, Mexico, but I have a branch or office in the EU - does GDPR apply?
Very likely, yes. Whilst "establishment" is not in fact defined, Recital 22 makes clear that
“[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect"
The Guidelines reiterate this. What is important is that there is some permanent ("stable") presence, and a branch office of a non-EU company will generally fulfil this requirement. Indeed, the Guidelines suggest that a mere one person or agent may be enough to indicate such presence.
My company is a processor and incorporated in the EU, but all customers are non-EU entities – does GDPR apply?
According to the Guidelines, GDPR applies to the processor (subject to the data being processed "in the context" of the establishment) since the processor is indeed established in the EU. It is irrelevant that the controller is not in the EU for the purposes of the processor's compliance. However, using a processor in the EU does not, automatically, make the non-EU controller subject to GDPR. See below!
We are a controller, but not in the EU. However, we do have an EU sales affiliate, but that entity does not actually process personal data itself – so presumably we are both outside of scope?
Not necessarily. The Guidelines support and restate the decisions of the Court of Justice of the European Union that it is possible even for non-EU entities to be "established" in the EU.
The processing need not be by the entity which has an establishment in the EU (in this example, the EU sales affiliate); GDPR will apply to any entity involved if the processing is "in the context" of the establishment in the EU.
This is the same outcome as in the Google Spain case. All that is required is an "inextricable link" between the non-EU entity and the EU establishment. If that exists, then in effect the EU affiliate is also an establishment of the non-EU entity – and GDPR applies to the non-EU entity even if the EU affiliate plays no actual role in processing. The EDPB makes clear that the language in Article 3(1) must be understood in the context of that decision (and other decisions such as Weltimmo).
My company is established in the EU, but we only sell to individuals out of the EU – does GDPR apply?
Yes. The processing of the data about individuals is in the "context of the establishment" of your company, the controller, in the EU. The Guidelines reiterate that it is irrelevant that the data subjects are not in the EU. GDPR is in this respect "nationality blind".
The Guidelines give an example of a French company selling to individuals in North Africa – GDPR applies.
We are an EU company but outsource all our processing activities to entities outside of the EU
GDPR still applies. The processing remains in the context of the EU establishment. The location of the actual processing is irrelevant.
We are a processor outside of the EU, but our customers are within the EU
GDPR does not directly apply to the processor. This is a situation where it had been possible to read Article 3(1) as extending GDPR to the non-EU entity only because it services EU controllers. The Guidelines helpfully end this line of interpretation.
Whilst GDPR does not directly apply to the processor, the Guidelines emphasise the indirect application through Article 28. The controller within the EU is obliged to ensure (under Article 28) that certain data protection obligations are accepted by the processor under contract.
We are a controller outside of the EU, but we are using an EU processor
GDPR does not apply to the controller simply because it chooses to use a processor in the Union.
This is also helpful from EDPB as, again, it is possible to read Article 3(1) more widely (that the processor being within the EU was sufficient to make the controller subject to GDPR).
The Guidelines clarify that such a controller is outside of scope of GDPR on the "establishment" criteria (but of course if EU citizens' data is processed then Article 3(2) might apply). The EU processor, however, will be subject to the GDPR (see above).
We are that EU processor (our customer is outside the EU), do we have to comply with all parts of GDPR?
There was a worry that if the customer was not subject to GDPR, that the processor might be responsible for such things as ensuring a legal basis and other controller responsibilities (since no other entity was within the EU).
The Guidelines (again) helpfully make clear that the processor only has to comply with processor obligations.
We are NOT an EU company, so GDPR does not apply to us
No. If you are established outside the EU, you may still be caught by the GDPR under article 3(2). Keep reading.
We are outside the EU and selling goods and services into the EU
Yes, clearly, under Article 3(2) it is enough for you to be targeting your goods or services in the EU (see further below on "targeting").
But our services are only targeted to non-EU nationals (the diaspora of our country)
Again, GDPR is nationality blind. The Guidelines make clear that presence in the EU is enough.
OK, but we are only providing our service to US tourists whilst on vacation in the EU
This depends on whether there is targeting towards those individuals whilst in the EU or if the fact that they are within the EU is only incidental. If the key feature is to provide the service to individuals because they are within the EU, then GDPR will apply and the fact that they are only there temporarily is irrelevant.
But if the tourists just happen, say, to read a US news website whilst in the EU, that will not make that site subject to GDPR. This is in fact an example given by the EDPB and perhaps inspired to prevent some well publicised US news companies from geo-blocking EU visitors because of GDPR (see a BBC news story here).
We provide our online services from outside the EU to individuals within the EU but do not charge for them
The Guidelines reiterate that the fact that a service is free is irrelevant. GDPR will still apply if services are targeted to them.
OK, then what is meant by "targeting"?
Under GDPR there does need to be "targeting" of individuals within the EU. The Guidelines helpfully set out some criteria in order to decide whether this test is fulfilled including:
The European country is expressly mentioned.
Search engine optimisation techniques are used to find individuals within the EU.
EU telephone numbers are available.
The use of a European domains (such as .de, .fr or .eu and (for the time being at least) .co.uk – see our Brexit blog).
EU currencies or languages are used.
Delivery into the EU is publicised/offered.
The EDPB makes clear that it is generally a combination of these elements being present that points towards "targeting" in the EU; each situation should be analysed on a case by case basis.
What about targeting by monitoring? Our company does track individuals through the internet and some of those individuals are within the EU.
The EDPB makes clear, as with targeting by selling, that the second part of the targeting criteria (monitoring) does not get triggered just because a few individuals may be monitored. The Guidelines state that “monitoring” implies that the controller has to have a specific purpose in mind and that has to relate to data about an individual’s behaviour "within the EU".
If you are not purposefully monitoring individuals' "within the EU" behaviour, and analysing it, then (according to these Guidelines) GDPR will not apply.
We collect data from individuals within the EU - is that enough to make GDPR apply?
The EDPB does not consider that any online collection of personal data of individuals in the EU would automatically count as “monitoring”. More information is needed and consideration given to the purpose for the data collection. Is there any subsequent behavioural analysis or profiling? If so, then GDPR may well apply.
But if not, at least on this limb (there might still be targeting by selling), then perhaps GDPR will not apply.
Yes, if the individuals are within the EU and you are profiling or undertaking some analysis on the basis of cookies (or similar technologies) then that is an example of what would constitute monitoring.
My company is outside the EU, do we need to appoint a representative?
Yes, in circumstances where a non-EU entity is subject to GDPR then a representative needs to be appointed within the EU. GDPR sets up this scheme so that there is someone (or entity) within the EU to whom they can address issues and indeed sanction.
Can the representative be liable?
There was a little doubt, but the Guidelines clearly stipulate the DPAs' view that they can take enforcement actions against the representative, in the same way as they would against the controller or processor. A representative could be fined by local data protection authorities.
OK, then. We have a GDPR data protection officer – and assume that they can be our representative.
Unfortunately, not. The Guidelines specify that the role of DPO and local representative are incompatible; amongst other things the EDPB explain that a conflict will arise merely as a result of the possible liability of the representative.
There remain some unanswered questions and no doubt there will be specific situations where it will be hard to apply the Guidelines, but this is guidance that shows the EDPB to have engaged with real issues of concern under GDPR and to have done so in a pragmatic way.
It is still under consultation. So if there are any issues that you feel should be addressed feel free to let us know or to feed through directly to the EDPB.