Privacy & Information Security Law Blog

At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.

The Guidelines are designed to assist both companies and regulators in assessing whether certain data processing activities are within the scope of the GDPR.

The final version of the Guidelines includes some noteworthy changes to last year’s draft guidelines:

• The EDPB emphasizes that the application of the GDPR should be assessed per data processing activity. The fact that certain data processing activities of an organization fall within the scope of the GDPR does not necessarily mean that all the organization’s data processing activities are subject to the GDPR.
• Regarding the “establishment” criterion used in Article 3(1) of the GDPR, the Guidelines clarify that, although it is a broad concept, there are limitations to it. For example, a single employee in the EU may constitute an “establishment” in the sense of the GDPR, but the presence of an employee in the EU as such does not trigger the application of the GDPR. The GDPR only applies to data processing activities that are related to the activities of the EU-based employee and not to data processing activities that relate to the activities of a controller outside the EU. Furthermore, the mere fact that a non-EU entity has a website accessible to users in the EU is not sufficient to conclude that this entity is established in the EU.
• The final version of the Guidelines also includes important clarifications with respect to the extra-territorial application of the GDPR (i.e., to controllers and processors that are not established in the EU). The EDPB, for example, emphasizes that for data processing activities of a non-EU entity, in relation to offering goods or services in the EU, to become subject to the GDPR these should result from intentionally, rather than inadvertently or incidentally, targeting goods or services to individuals in the EU. On the other hand, data processing that relates to services or products targeted to individuals outside the EU, but that continues when such individuals enter the EU, will not necessarily be subject to the GDPR. Furthermore, a new section was added to the Guidelines that specifically addresses the application of the GDPR to data processors established outside the EU that carry out data processing activities on behalf of non-EU data controllers, which are subject to the GDPR based on Article 3(2). On this point, the EDPB takes the position that both the activities of the processor and the controller should be taken into account when assessing whether the data processing activities carried out by the processor also fall within the extra-territorial scope of the GDPR. This is a broad interpretation, which requires that non-EU processors carrying out data processing activities relating to the offering of goods or services to, or the monitoring of behavior of, individuals in the EU by a controller will be subject to the GDPR when carrying out these processing activities. Therefore, if the processor’s data processing activities are connected to the controller’s activities targeted to individuals in the EU, the processor’s data processing activities will be subject to the GDPR. The EDPB, for example, indicates that a U.S. cloud provider will be subject to the GDPR when it provides data storage services to a U.S. health and lifestyle app developer that monitors the behavior of app users in the EU. This is somewhat surprising given that the EDPB has taken a different view when it comes to the application of the establishment criterion under Article 3(1) of the GDPR to controllers and processors. In the latter case, the EDPB indicates in the Guidelines that the data processing by each entity must be considered separately and that the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both if one of these two entities is not established in the EU. Following the EDPB’s interpretation set out in the Guidelines, non-EU processors carrying out data processing activities subject to the GDPR on the basis of Article 3(2) because they relate to an offering of goods or services to, or monitoring behavior of individuals in the EU by a controller are directly subject to the GDPR. On the other hand, non-EU processors carrying out data processing activities subject to the GDPR, because they take place in the context of the activities of a controller’s establishment in the EU, only become indirectly subject to some obligations of the GDPR imposed by virtue of contractual arrangements under Article 28 and the provisions of Chapter V of the GDPR.
• The EDPB also added a specific section on the interaction between the territorial scope components of the GDPR and (1) other provisions of the GDPR, and (2) third country national laws to which non-EU entities falling within the extraterritorial scope of the GDPR are subject in their own country. With respect to the other provisions of the GDPR, the Guidelines unfortunately do not provide any further guidance on the interplay between the extraterritorial scope of the GDPR and the provisions of Chapter V of the GDPR on international data transfers. The EDPB indicated that it will assess this issue and may adopt further guidance if necessary. On the second point, the Guidelines clarify that non-EU entities, whose data processing activities fall both within the scope of the GDPR based on Article 3(2) and the national (data protection) laws of the third country where they are established, will need to comply with their obligations under both applicable legislative regimes.
• With respect to the role of the EU representative that companies not established in the EU are required to appoint under Article 27 of the GDPR, the final version of the Guidelines clarifies that one representative can be appointed for several data processing activities of a non-EU entity that fall within the scope of the GDPR. However, the EDPB states that the role of a non-EU controller’s or processor’s representative is not compatible with the duties and tasks of a data protection officer and those roles cannot be combined. With respect to the EU representative’s liability, the EDPB clarifies that the direct liability of the representative is limited to the latter’s direct obligations under the GDPR, such as the obligation to maintain a record of data processing activities under the responsibility of the controller or processor.