On 23 November 2018, the EDPB published draft guidelines on the territorial scope of the GDPR. The draft guidelines, which were open for public consultation and feedback until 18 January 2019, can be found here.
In adopting guidelines on the territorial scope of the GDPR, the EDPB’s stated intention is to seek to ensure a consistent application of the GDPR by providing clarity regarding the assessment of whether particular processing by a controller or processor falls within the scope of the GDPR.
In the draft guidelines, the EDPB sets out its recommended framework for the analysis under Article 3 of the GDPR. Article 3 defines the territorial scope of the GDPR on the basis of two main criteria: 1) the ‘establishment’ criterion pursuant to Article 3(1); and 2) the ‘targeting’ criterion pursuant to Article 3(2). We have summarised below the EDPB’s suggested framework for the analysis under these criteria. The EDPB has commented in its draft guidelines that each scenario will need to be assessed on the basis of the framework, on its own merits, taking account the specific facts of the case and the relevant case law.
- Application of the ‘establishment’ criterion under Article 3(1)
Article 3(1) provides that the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.
In its draft guidelines, the EDPB recommends a threefold approach in determining whether or not the processing of personal data falls within the scope of the GDPR pursuant to Article 3(1), as set out below:
(a)Consideration 1: “An establishment in the Union”: The first step in the analysis is to consider whether a controller or processer has an establishment in the EU. The GDPR does not provide a definition of ‘establishment’ for the purpose of Article 3, however the recitals clarify that establishment “implies the effective and real exercise of activities through stable arrangements.” The concept of establishment has been interpreted widely in the case law the absence of a branch or subsidiary within the EU will not preclude an organisation from having an establishment in the EU.
(b)Consideration 2: Processing of personal data carried out “in the context of the activities” of an establishment: The second step is to then consider whether the processing is carried out in the context of the activities of the establishment. Note that it is not necessary for the processing to be carried out by the relevant EU establishment itself.
(c)Consideration 3: application of the GDPR to the establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not: The EDPB clarifies that the place of processing is not relevant for the analysis under Article 3(1). The EDPB considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the EU would fall within the scope of the GDPR, regardless of the location or nationality of the data subject whose personal data are being processed.
- Application of the ‘targeting’ criterion under Article 3(2)
Article 3(2) of the GDPR sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union, depending on their processing activities. Article 3(2) provides that the GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, whether the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
In its draft guidelines, the EDPB recommends a twofold approach, in order to determine first that the processing relates to personal data of data subjects who are in the Union, and second whether it relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union:
(a)Consideration 1: Data subjects in the Union: The EDPB clarifies in its guidance that the application of the targeting criteria is not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed.
The EDPB emphasises that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of ‘targeting’ individuals in the EU either by offering goods or services to them (see consideration 2a below) or by monitoring their behaviour (see consideration 2b below) must also be present.
(b)Consideration 2a: offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union: A key element of the assessment under this limb is whether the offer of goods or services is directed at a data subject located in the EU. Relevant factors may include the use of a language or a currency used in one or more Member States, the possibility of ordering in such language, the provision of delivery of goods in EU Member States, and the use of a top-level domain name such as “.eu”. This is not an exhaustive list of factors that may be relevant. The EDPB comments that the concept of ‘offering of goods and services’ has been considered in a number of cases, and such case law must be taken into account in making the assessment.
(c)Consideration 2b: monitoring of data subjects’ behaviour: Under this limb, the behaviour monitored must relate to a data subject in the EU, and the monitored behaviour itself must also take place within the EU. The EDPB considers that a broad range of monitoring activities could be relevant, including but not limited to behavioural advertisement, geo-localisation activities for marketing purposes, online tracking, personalised diet and health analytics services online, CCTV, market surveys and other behavioural studies based on individual profiles and monitoring or regular reporting on an individual’s health status.
Whilst the EDPB’s draft guidelines provide a helpful framework for analysis, any assessment will still need to be carried out on a case-by-case basis with reference to the relevant case law. We also note that at this stage these are draft guidelines only and organisations will need to wait for the final version to be adopted.
Beverley Flynn