European Data Protection Board (“EDPB”) published on 16 November 2018 the long-awaited Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (“GDPR”). As those with even a cursory interest in the matter knew, a company not established in the EU can still be within the reach of GDPR’s strict rules. But exactly when that is the case was not entirely clear from GDPR’s provisions and recitals. With these guidelines EDPB aims to clarify the criteria for determining the territorial scope of GDPR.
Processing in the context of the activities of an EU establishment
A non-EU entity – data controller or data processor – will be within the scope of GDPR, according to Article 3(1), if the processing of personal data is performed in the context of the activities of an establishment of that controller or processor in the EU, regardless of whether the processing takes place in the EU.
Non-EU entity may be established in the EU without having a subsidiary or branch there
In explaining whether a controller or processor is “established in the EU”, EDPB broke no new ground. The Board first quoted recital 22 of the GDPR which states that “[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”. EDPB then invoked the Court of Justice of European Union (“CJEU”) Weltimmo v NAIH judgment (2015), in which the court ruled that that the concept of “establishment” extends to any real and effective activity — even a minimal one — exercised through stable arrangements. EDPB concludes that even the presence “of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability”.
Activities of a non-EU company and its EU establishment must be inextricably linked for GDPR to apply
EDPB then moved to analysing when processing activities of the controller or processor are carried out “in the context of the activities” of the establishment in the Union. Here, the Board for the most part repeated what the CJEU said in the Google Spain case (2014). EU law (now: GDPR) applies even if the establishment in the EU does not take any role in the data processing (only the controller or processor established outside the EU do) but an “inextricable link” exists between the local establishment in the EU and the data processing activities of the controller, i.e. the processor. In order to asses this requirement, the non-EU entity should first determine whether there is a link between data processing carried out by that non-EU company and the activities of the establishment. If yes, the company should try to assess whether the link is close. The link is close if marketing activities or other activities of the establishment in the EU serve to make profitable the controller’s service which includes the processing of personal data.
Targeting of data subjects in the EU
Article 3(2) stipulates that GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.”
This provision refers to data subjects who are “in the EU”, not EU citizens or residents. Recital 14 confirms this by stating that: “protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence…”. EDPB says that geographic location of a data subject, as a deciding factor, should be assessed in the moment when the controller, i.e. processor, offers goods/services, or monitors the behaviour of the data subject.
Multiple factors to consider when assessing whether goods (or services) are offered in the EU
In order to explain the meaning of “offering goods or services” in the EU, EPDB invoked the decision of the CJEU in the joined cases Pammer v Reederei and Hotel Alpenhof v Heller (2010) interpreting the concept of “directing of activities” to a member state. While the notions of “directing activities” and “offering goods or services” are not identical, the EDPB considered the criteria developed in the “directing of activities” cases helpful when considering whether a controller or processor offers goods or services to data subjects in the Union. The following factors, elucidated by the CJEU, should be taken into account:
- The EU or at least one member state is designated by name with reference to the goods or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers in the third country, to be reached from an EU country;
- The use of a EU member state’s top-level domain name, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU member states to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU member states, in particular by presentation of accounts written by such customers;
- The use of a language or currency of one or more EU member states;
- The data controller offers the delivery of goods in EU member states.
Monitoring implies an intention to target data subjects and reuse collected data
When it comes to the monitoring of data subjects’ behaviour, the monitoring must relate to data subjects in the EU and the behaviour must take place within the EU. EDPB considers that the word “monitoring” implies that the controller has an intention to target, i.e. intention to reuse the data later on for a specific purpose. In the absence of such intention, no monitoring exists even if data is collected over certain period of time. If the controller or processor after the collection of data employs behavioural analysis or profiling technique, it is likely that the collection or analysis of personal data of individuals falls within the scope of GDPR. The monitoring activities within the scope of Article 3(2) would especially include the following:
- behavioural advertisement;
- geo-localisation activities, in particular for marketing purposes;
- personalised diet and health analytics services online;
- closed circuit television (CCTV);
- market surveys and other behavioural studies based on individual profiles; and
- monitoring or regular reporting on an individual’s health status.
Designation of representative
According to Article 27, a non-EU entity falling within the scope of GDPR must designate a representative in EU. A representative can be a natural or legal person, established in the EU and able to represent the company with regard to its GDPR obligations. If the company designates an organisation as a representative, an individual within the organisation should be assigned as a lead contact. In accordance with Article 13(1) and 14(1) of the Regulation, data controllers should provide information on identity of their representative to data subjects.
The controller is not obliged to designate a representative if all of these conditions are met: processing is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
If data subjects are located in more than one country, the controller should establish a representative in the country where the majority of data subjects are located. Representative’s tasks are to facilitate communication between data subjects and the controller (Articles 13 and 14), keep record of processing activities (Article 30), and cooperate with supervisory authorities (Recital 80). An important clarification by the EDPB is that the enforcement actions against representatives, including the imposition of administrative fines and penalties, can be initiated in the same manner as against data controllers or processors. As EDPB put it in the conclusion of the Guidelines, “this includes the possibility to impose administrative fines and penalties, and to hold representatives liable”.