New EU Guidelines on the Extraterritorial Scope of the GDPR

The European Data Protection Board (“EDPB”) has published the final version of its Guidelines 3/2018 (“Guidelines”) on the territorial application of the EU General Data Protection Regulation (“GDPR”). This new version is the result of the feedback and contributions received by the EDPB after the Guidelines were put out for public consultation. The Guidelines elaborate on the application of the GDPR for companies, both within and outside the European Union (“EU”).

Firstly, the GDPR defines its territorial scope in Article 3 as follows:

1.   This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.

2.   This Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behavior as far as their behavior takes place within the EU.

3.   This Regulation applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

As a consequence, it is paramount for controllers (the one who determines the purposes and means of the processing) and processors (the one who processes personal data on behalf of the controller) to undertake a careful case-by-case assessment of their processing activities. In particular for  companies offering goods or services at international level  to determine whether the related processing of personal data falls within the scope of the GDPR.

The territorial scope of the GDPR is made on the basis of three criteria: (i) the establishment criterion (Article 3.1), (ii) the targeting criterion (Article 3.2), and (iii) public international law criterion (Article 3.3).

In a nutshell, the three criteria can be summarized as follows:

• Establishment Criterion. The application of this criterion should be done, firstly, by identifying which is the company/ies that play the role of controller or processor for the processing activity that requires to be analyzed. Secondly, the company should assess whether there is an establishment within the EU, meaning if there is effective and real exercise of activities through a stable arrangement, and if the processing of personal data is done in the context of the activities of such establishment in the EU. It is important to note that this analysis is done regardless of where the personal data is actually processed or even of the location or nationality of the data subject.

 

• Targeting Criterion. This scenario is triggered by processing activities carried out by a company not established in the EU which relate to two distinct and alternative types of activities: (a) either offering goods/services to data subjects in EU, or (b) monitoring the behavior of the data subjects – as long as that behavior takes place within the EU. It is important to note that the monitoring of the data subjects can entail activities from behavioral advertising to online tracking (cookies) or market surveys. The targeting criterion largely focuses on what the processing activities are related to, which also has to be considered on a case-by-case basis.

If a company, after assessing its activities, concludes that it falls under this criterion, then it has the obligation to name a representative within the EU. 

                   

• Public International Law Criterion. This condition applies, for instance, to personal data processing carried out by EU Member States´ embassies and consulates located outside the EU, to whom the GDPR would apply.

 

The application of the GDPR should be studied on a case-by-case basis, meaning that the same company can be under GDPR for a portion, and not the totality, of their data processing activities. Finally, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the GDPR apply to such processing.