Extraterritorial application of GDPR

With the Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, the EDPB gave a final statement on how and when the GDPR applies to territories outside of the European Union. The key changes are based on the principle that it’s the particular processing activity that falls within the scope of the GDPR, rather than the person (legal or natural). The EDPB stresses that a controller or processor may be subject to the GDPR concerning some of its processing activities but not subject to the GDPR in relation to other processing activities.  

Main criteria for extraterritorial application 

Article 3 of the GDPR defines the territorial scope of the Regulation based on two main criteria: the “establishment” of the data processor or controller – Article 3(1), and the “targeting” of EU data subjects – Article 3(2). GDPR will apply if either of them is met. 

1.Establishment 

Despite missing a legal definition, the establishment should imply the effective and real exercise of activities of the person collecting and/or processing personal data. These activities should be based on stable arrangements in a Member State. Depending on the degree of stability in some cases the presence of a single employee or agent of a non-EU data controller or processor may bind the latter with compliance with GDPR.  

Example: A company with headquarters in the US also operates on the EU market through a branch office in a Member State that manages all its operations in Europe, including marketing and advertisement. This branch can be considered to be a stable arrangement, exercising real and effective economical activities, and therefore an EU establishment.  

The EDPB notably deems that if a non-EU entity uses the services of a processor established in the EU, the European company should not be considered an EU establishment merely by virtue of its status as a processor. If a US business, for example, is using a French data processor that would not automatically make the French company an agent or employee established in a Member State in the light of Article 3(1). 

Establishment, however, is not the only determining factor for the application of GDPR. The context of activities regarding the processed and/or stored personal data should also be considered. If a controller processes personal data for activities outside of the EU, the mere presence of an employee in a Member State will not result in that processing falling within the scope of GDPR. A context assessment should be made on a case by case basis by to find out if: 

1. There is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of the EU establishment. 
2. There is revenue-raising in the EU by a local establishment to the extent that such activities can be considered as inextricably linked to the processing of personal data taking place outside the EU and individuals in the EU. 

Example: A shopping website operated by a US company that processes personal data exclusively in the US has established an office for marketing purposes in the EU. This company will fall under the scope of GDPR because the EU agent effectively serves for income and value stimulation. Both the Processor and the marketing office appear to be inextricably linked. The processing even though held in the US will be subject to the provisions of the GDPR as per its Article 3(1). 

2.Targeting 

When determining whether a controller or processor established in a non-EU country can trigger the application of the “targeting criterion”, the following two characteristics of the processing should be assessed:  

1. Whether the processing relates to personal data of data subjects in the EU – the determining factor is the location of the data subjects rather than their citizenship, residence or other type of legal status. 

Example: A start-up established in the USA, without any business presence in the EU, provides a city-mapping application for tourists. Once tourists start using the application, it processes their location data in order to offer targeted advertisement for places to visit, restaurants, bars and hotels. The application is available for New York, San Francisco, Toronto, Paris and Rome. 

 2. Whether the processing relates to any of the following activities: 

• offering of goods or services to data subjects in the Union. The targeting criterion applies irrespective of whether a payment by the data subject is required or not. The controller should demonstrate an intention to offer the goods or services to EU citizens, the mere accessibility of the Website in the Union would be insufficient to ascertain such intention.  

Example: A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalized family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany. In this case, the website would be considered to offer services to individuals in the Union. 

• monitoring of data subjects’ behavior in the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for the processing and the use of any subsequent behavioral analysis or profiling techniques. 

Example: A consultancy company established in the US provides advice on a retail layout to a shopping center in France, based on an analysis of customers’ movements throughout the center collected through Wi-Fi tracking. This analysis will amount to the monitoring of individuals’ behavior and as the data subjects’ behavior takes place in the Union, the consultancy company will be subject to the GDPR. 

Territories where Member State law applies by virtue of public international law 

According to Article 3(3), GDPR “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”. The EDPB considers that by virtue of Article 3(3) the GDPR applies to data processing carried out by EU Member States’ embassies and consulates located outside the EU.   

Example: The Dutch consulate in the US opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data. 

Representation of controllers or processors not established in the EU 

A controller or processor not established in the EU but subject to the GDPR under the scope of Article 3(2) is under the obligation to designate a representative in the Union. In its Guidelines, the EDPB provides guidance on the designation process, establishment obligations and responsibilities of the representative in the Union as per Article 27 of the GDPR.  

Designation:

This function could be exercised based on service contract concluded with an individual or an organization and can be assumed by a wide range of EU based commercial and non-commercial entities, such as law firms, consultancies, private companies, etc. One representative can also act on behalf of several non-EU controllers and processors. 

• The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) established in the EU. 
• The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing here is not a relevant factor. 

Example: An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by hospitals in Belgium, Luxembourg and the Netherlands. The majority of patients participating in the clinical trials are situated in Belgium. The company should therefore designate a representative in Belgium.  

Exemptions from the designation obligation:

A representative may not be appointed if (1) the processing is carried out by a public authority or body and (2) if the processing is occasional, does not include large scale processing of special categories of data and is unlikely to result in a high risk to the rights and freedoms of data subjects. 

• A processing activity is “occasional” if it is not carried out regularly and occurs outside the regular course of business or activity of the controller or processor. 
• the following factors should be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned – either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity. 

Obligations and responsibilities of the representative: 

• facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of their rights effective; 
• cooperate with the competent supervisory authorities (in their language); 
• maintain and update a record of processing activities under the responsibility of the controller or processor.

You can download it as an e-book from here ➤

With the Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, the EDPB gave a final statement on how and when the GDPR applies to territories outside of the European Union. The key changes are based on the principle that it’s the particular processing activity that falls within the scope of the GDPR, rather than the person (legal or natural). The EDPB stresses that a controller or processor may be subject to the GDPR concerning some of its processing activities but not subject to the GDPR in relation to other processing activities.  

Main criteria for extraterritorial application 

Article 3 of the GDPR defines the territorial scope of the Regulation based on two main criteria: the “establishment” of the data processor or controller – Article 3(1), and the “targeting” of EU data subjects – Article 3(2). GDPR will apply if either of them is met. 

1.Establishment 

Despite missing a legal definition, the establishment should imply the effective and real exercise of activities of the person collecting and/or processing personal data. These activities should be based on stable arrangements in a Member State. Depending on the degree of stability in some cases the presence of a single employee or agent of a non-EU data controller or processor may bind the latter with compliance with GDPR.  

Example: A company with headquarters in the US also operates on the EU market through a branch office in a Member State that manages all its operations in Europe, including marketing and advertisement. This branch can be considered to be a stable arrangement, exercising real and effective economical activities, and therefore an EU establishment.  

The EDPB notably deems that if a non-EU entity uses the services of a processor established in the EU, the European company should not be considered an EU establishment merely by virtue of its status as a processor. If a US business, for example, is using a French data processor that would not automatically make the French company an agent or employee established in a Member State in the light of Article 3(1). 

Establishment, however, is not the only determining factor for the application of GDPR. The context of activities regarding the processed and/or stored personal data should also be considered. If a controller processes personal data for activities outside of the EU, the mere presence of an employee in a Member State will not result in that processing falling within the scope of GDPR. A context assessment should be made on a case by case basis by to find out if: 

1. There is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of the EU establishment. 
2. There is revenue-raising in the EU by a local establishment to the extent that such activities can be considered as inextricably linked to the processing of personal data taking place outside the EU and individuals in the EU. 

Example: A shopping website operated by a US company that processes personal data exclusively in the US has established an office for marketing purposes in the EU. This company will fall under the scope of GDPR because the EU agent effectively serves for income and value stimulation. Both the Processor and the marketing office appear to be inextricably linked. The processing even though held in the US will be subject to the provisions of the GDPR as per its Article 3(1). 

2.Targeting 

When determining whether a controller or processor established in a non-EU country can trigger the application of the “targeting criterion”, the following two characteristics of the processing should be assessed:  

1. Whether the processing relates to personal data of data subjects in the EU – the determining factor is the location of the data subjects rather than their citizenship, residence or other type of legal status. 

Example: A start-up established in the USA, without any business presence in the EU, provides a city-mapping application for tourists. Once tourists start using the application, it processes their location data in order to offer targeted advertisement for places to visit, restaurants, bars and hotels. The application is available for New York, San Francisco, Toronto, Paris and Rome. 

 2. Whether the processing relates to any of the following activities: 

• offering of goods or services to data subjects in the Union. The targeting criterion applies irrespective of whether a payment by the data subject is required or not. The controller should demonstrate an intention to offer the goods or services to EU citizens, the mere accessibility of the Website in the Union would be insufficient to ascertain such intention.  

Example: A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalized family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany. In this case, the website would be considered to offer services to individuals in the Union. 

• monitoring of data subjects’ behavior in the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for the processing and the use of any subsequent behavioral analysis or profiling techniques. 

Example: A consultancy company established in the US provides advice on a retail layout to a shopping center in France, based on an analysis of customers’ movements throughout the center collected through Wi-Fi tracking. This analysis will amount to the monitoring of individuals’ behavior and as the data subjects’ behavior takes place in the Union, the consultancy company will be subject to the GDPR. 

Territories where Member State law applies by virtue of public international law 

According to Article 3(3), GDPR “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”. The EDPB considers that by virtue of Article 3(3) the GDPR applies to data processing carried out by EU Member States’ embassies and consulates located outside the EU.   

Example: The Dutch consulate in the US opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data. 

Representation of controllers or processors not established in the EU 

A controller or processor not established in the EU but subject to the GDPR under the scope of Article 3(2) is under the obligation to designate a representative in the Union. In its Guidelines, the EDPB provides guidance on the designation process, establishment obligations and responsibilities of the representative in the Union as per Article 27 of the GDPR.  

Designation:

This function could be exercised based on service contract concluded with an individual or an organization and can be assumed by a wide range of EU based commercial and non-commercial entities, such as law firms, consultancies, private companies, etc. One representative can also act on behalf of several non-EU controllers and processors. 

• The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) established in the EU. 
• The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing here is not a relevant factor. 

Example: An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by hospitals in Belgium, Luxembourg and the Netherlands. The majority of patients participating in the clinical trials are situated in Belgium. The company should therefore designate a representative in Belgium.  

Exemptions from the designation obligation:

A representative may not be appointed if (1) the processing is carried out by a public authority or body and (2) if the processing is occasional, does not include large scale processing of special categories of data and is unlikely to result in a high risk to the rights and freedoms of data subjects. 

• A processing activity is “occasional” if it is not carried out regularly and occurs outside the regular course of business or activity of the controller or processor. 
• the following factors should be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned – either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity. 

Obligations and responsibilities of the representative: 

• facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of their rights effective; 
• cooperate with the competent supervisory authorities (in their language); 
• maintain and update a record of processing activities under the responsibility of the controller or processor.