EU General Data Protection Regulation (GDPR): Territorial Scope
The General Data Protection Regulation, adopted by the European Parliament on December 17, 2015 (hereinafter referred to as the “Regulation” or “GDPR”) came into force on May 25, 2018.
Article 3 of the Regulation establishes two main criteria for its operation across the territory: the “establishment criterion” and the “direction criterion”.
The Regulation applies to organizations that have “establishments” in the EU, where personal data is processed “in the context of the activities” of such an establishment, regardless of whether the data processing actually takes place in the EU or not. Establishment implies the effective and efficient carrying out of activities through a “stable organization”, regardless of their legal form - whether through a branch or subsidiary.[1]
The requirements of the Regulation also apply to organizations not established in the EU if they process personal data of data subjects (natural persons) located in the EU in connection with:
1) offering them goods or services (without demanding payment); in order to offer goods and services, the website must not only be accessible in the EU, but it must be obvious that the organization “anticipates” that its activities will be aimed at data subjects in the EU;
2) monitoring the behavior of such data subjects in the EU, i.e. tracking individual users online to create profiles, including where this is used for decision-making to analyze/predict personal preferences, behavior and attitudes.
In practice, however, many questions arise in connection with the applicability of the requirements of the Regulation regarding the processing of personal data by organizations both located in the EU and outside it.
On 16 November 2018, the European Data Protection Board (EDPB) adopted Guidelines 3/2018 on the territorial application of the GDPR (Article 3).
The document provides clarifications regarding the effect of the Regulation on the territory under various scenarios that may arise depending on the type of activity for processing personal data, the organization carrying out these types of processing, or the location of such organizations. The Guidelines do, however, emphasize the importance for data controllers and processors, particularly those offering goods and services internationally, to conduct a thorough review of their specific personal data processing activities to determine whether such processing falls within the scope of the Regulation.
1. Establishment criterion
The EDPB recommends a three-step approach to determine whether the processing of personal data falls within the scope of the Regulation under Article 3(1).
a) “Establishment in the EU”
It is first necessary to identify the person who is the controller or operator for the purposes of the processing.
“Controller” for the purposes of the Regulation means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In order to determine whether an organization located outside the EU has an establishment in an EU Member State, both the degree of stability of the organization and the actual conduct of activities in that Member State must be considered in the light of the specific nature of the economic activity and service provision concerned.
This is particularly the case for businesses offering services exclusively online, for which the threshold for a “stable entity” may in fact be quite low, with the result that in some cases the presence of a single employee or agent of an entity not established in an EU Member State may be sufficient to create a “stable entity” if that employee or agent operates with a sufficient degree of stability.
For example, an automobile manufacturing company headquartered in the United States has a subsidiary and office located in Brussels that controls all of its operations in Europe, including marketing and advertising. The Belgian branch can be considered a stable organization that carries out real and effective activities in the light of the nature of the economic activities of this company - a car manufacturer.
b) Processing of personal data “in the context of the activities” of the institution
The EDPB considers that, for the purposes of Article 3(1) of the Regulation, the meaning of “processing in the context of the activities of the establishment of the controller or operator” should be understood in the light of relevant precedents. On the one hand, in order to achieve the goal of ensuring effective and complete protection of the rights of personal data subjects, the meaning of “in the context of the activities of the institution” cannot be interpreted restrictively. On the other hand, the existence of an establishment within the meaning of the Regulation should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the most remote links to the personal data processing activities of an entity not established in an EU Member State will be sufficient to render such processing subject to the requirements of the Regulation.
i. Communication between a non-EU data controller or operator and an EU establishment
If the analysis on a case-by-case basis shows that there is an intrinsic link between the activities of an EU establishment and the processing of personal data carried out by a non-EU established controller, EU law will apply to such processing, regardless of whether the EU establishment of such controller plays a role in the processing.
ii. Receiving income in the EU
The receipt of income in the EU by a local establishment, to the extent that such activities can be considered “inextricably linked” to the processing of personal data occurring outside the EU and to individuals in the EU, may indicate processing by an EU-established controller or processor carried out “in the context of the activities of the EU establishment” and be a sufficient basis for the application of EU law to such processing.
An example is given where an e-commerce company based in China, which operates an Internet site through which personal data is processed exclusively in China, has established a European office in Berlin to conduct commercial and marketing campaigns in the EU markets.
In this case, it can be considered that the activities of the company's European office in Berlin are inextricably linked with the processing of personal data carried out by the website in China, since the commercial intelligence and marketing campaign in the EU markets clearly serves to make the e-commerce services offered by this website profitable. The processing of personal data by a Chinese company can therefore be considered to take place in the context of the activities of an EU establishment and is therefore subject to the provisions of the Regulation in accordance with Article 3(1) thereof.
c) Application of the GDPR to the establishment of a controller or operator in the EU, regardless of whether the processing takes place in the EU
The presence through an establishment of a data controller or processor in the EU and the fact that the processing of personal data takes place in the context of the activities of that establishment entails the application of the Regulation to the relevant processing operations. Therefore, in this case, the specific place of processing is not relevant for determining whether processing carried out in the context of activities in the EU falls within the scope of the Regulation.
For example, a pharmaceutical company headquartered in Stockholm moved all personal data processing activities in relation to clinical trials to its subsidiary in Singapore. According to the company's structure, the branch is not a separate legal entity, and the headquarters in Stockholm determines the purpose and means of data processing carried out on its behalf by the branch in Singapore.
In this case, although the data processing takes place in Singapore, such processing is carried out in the context of the activities of a pharmaceutical company in Stockholm, that is, a data controller established in the EU. The provisions of the GDPR therefore apply to such processing in accordance with Article 3(1).
However, since the text of Article 3(1) does not limit the application of the Regulation to the processing of personal data of persons located in the EU, the EDPB considers that any processing of personal data in the context of the activities of the establishment of a controller or operator in the EU, regardless of the location or nationality of the data subject whose personal data is processed, falls within the scope of the Regulation.
d) Application of the establishment criterion to the controller and operator
According to the EDPB, an EU operator should not be regarded as establishing a data controller within the meaning of Article 3(1) of the Regulation solely by virtue of its status as a operator. The existence of a processing relationship between a controller and a processor does not necessarily give rise to the application of the Regulation to both of them, unless one of the two entities is established in the EU.
i. Processing by a controller in the EU using a non-GDPR operator
If a controller subject to the GDPR chooses to use a processor located outside the EU that is not subject to the GDPR, the controller will need to ensure, by contract or other legally binding instrument, that the processor processes personal data in accordance with the GDPR.
ii. Processing in the context of the activities of the operator's establishment in the EU
The EDPB emphasizes that it is important to consider the issue of the establishment of a controller and an operator separately.
The first question is whether the controller itself has an establishment in the EU and processes personal data in the context of the activities of that establishment. Assuming that the controller is not considered to be processing personal data in the context of its own EU establishment, such a controller would not have duties as a controller by virtue of Article 3(1) of the Regulation (although it may still fall within Article 3(2)). Other things being equal, the establishment of the operator in the EU will not be considered an establishment in relation to the controller.
A separate question arises whether the operator processes the data in the context of its establishment in the EU. If this is the case, the operator will be subject to operator obligations under the Regulations. However, this does not result in a controller not established in the EU also having controller responsibilities under the GDPR. That is, a “non-EU” controller will not be subject to the GDPR simply because it chooses to use an EU operator. At the same time, the requirements of the GDPR, which are directly applicable to operators, in this case will apply to an operator established in the EU processing personal data.
In addition, since such processing will take place in the context of the activities of the operator's establishment in the EU, the EDPB recalls that the operator must ensure that its processing of personal data is lawful in relation to other obligations under EU law or the national law of the relevant Member State.
2. Directional criterion
The EDPB points out that controllers and operators must also take into account other applicable regulations, including EU and Member State sectoral legislation and national laws. Several provisions of the Regulation allow Member States to introduce additional conditions and define specific frameworks for the protection of personal data at national level in certain areas or in relation to specific processing situations.
When assessing the conditions for applying the focus test, the EDPB recommends a two-step approach to first determine whether the processing relates to personal data of subjects located in the EU and, secondly, whether such processing relates to the offering of goods or services or to monitoring the behavior of data subjects in the EU.
a) Data subjects in the EU
Since Article 3(2) refers to “personal data of data subjects located in the Union”, the application of the directionality test is not limited to the nationality, residence or other type of legal status of the data subject whose personal data is processed. Recital 14 confirms this interpretation: “the protection provided by this Regulation shall apply to natural persons, regardless of their nationality or place of residence, with regard to the processing of their personal data.”
The EDPB considers that compliance with the requirement that the data subject be located in the EU must be assessed at the moment when the relevant activity directed at him takes place, that is, at the time the goods or services are offered or at the time when monitoring takes place, regardless of the duration of the proposed offer or monitoring.
This situation may occur, for example, when a start-up established in the US, without any presence or establishment of business in the EU, provides a mobile mapping application for tourists. The app processes personal data regarding the location of customers using the app (data subjects) once they start using it in the city they are visiting in order to offer targeted advertisements for attractions, restaurants, bars and hotels. The app is available to tourists when they visit New York, San Francisco, Toronto, London, Paris and Rome. Therefore, since a US start-up offers services to individuals in the EU through its city mapping application, the processing of personal data of such entities located in the EU in connection with offering them a service falls within the scope of the Regulation under Article 3(2).
Moreover, as the EDPB notes, the processing of personal data of EU citizens or residents that takes place in a third country does not give rise to the application of the Regulation as long as such processing is not related to a specific offer aimed at individuals in the EU or monitoring their behavior in the EU.
For example, a bank in Taiwan has clients who reside in Taiwan but have German citizenship. The bank operates only in Taiwan; its activities are not aimed at the EU market. The bank's processing of personal data of its German clients is not subject to the Regulation.
b) Offering goods or services regardless of payment by data subjects in the EU
Article 3(2)(a) of the Regulation states that the direction test relating to the offer of goods or services applies regardless of whether payment is required by the data subject. Thus, whether the activities of a controller or non-EU operator constitute an offer of goods or services does not depend on whether payment is made in exchange for the goods or services provided.
Recital 23 of the Regulation states that “while the mere availability of the Internet site of a controller, operator or intermediary in the Union, an email address or other contact details or the use of a language customarily used in the third country where the controller is established are not sufficient to establish such an intention (to offer services to data subjects in the EU), factors such as the use of a language or currency commonly used in one or more EU Member States, with the ability to order goods and services in that other language or references to customers or users who are located in the EU may indicate that the controller intends to offer goods or services to data subjects in the Union.”
Processing activities that are “related” to activities giving rise to the application of Article 3(2) of the Regulation are also subject to the territorial coverage of the Regulation. The EDPB considers that there must be a connection between the processing and the supply of the product or service, either direct or indirect.
The EDPB also believes that the judgments in Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Cases C-585/08 and C-144/09) 23 may be useful when considering whether goods or services are offered to a data subject in the EU.
However, it must be taken into account that, as follows from paragraph 23 of the preamble to the Regulation, the mere availability of the Internet site of the controller, operator or intermediary in the EU, the mention on the Internet site of his email or geographical address or his telephone number without an international code, do not in themselves provide sufficient evidence to demonstrate the intention of the controller or operator to offer goods or services to a data subject located in the EU.
One particular case where activities involving the processing of personal data of EU citizens are not subject to the Regulation is processing for the purposes of human resource management, including payroll, by a company established in a third country.
For example, a private company based in Monaco processes the personal data of its employees for payroll purposes. A large number of the company's employees are residents of France and Italy. In this case, although the processing carried out by the company relates to personal data subjects in France and Italy, it does not take place in the context of offering them goods or services.
c) Monitoring the behavior of personal data subjects
For the Regulation to apply in accordance with Article 3(2)(b), the conduct monitoring must first relate to the data subject in the EU and, as a cumulative criterion, the conduct monitored must take place within the EU.
The nature of the processing activities that can be considered as behavioral monitoring is clarified in paragraph 24 of the preamble of the Regulation: “in order to determine whether processing activities can be considered as behavioral monitoring of personal data subjects, it must be established whether individuals are being tracked online, including the possible subsequent use of personal data processing techniques such as profiling of the natural person, especially for making decisions about him or her or for analyzing or predicting his or her personal preferences, behavior and attitudes.”
Although preambular paragraph 24 relates exclusively to behavioral monitoring by tracking a person online, the EDPB considers that tracking through other types of communication networks or technology involving the processing of personal data should also be taken into account when determining whether such processing constitutes behavioral monitoring, for example through handheld and other smart devices.
However, according to the EDPB, not any online collection or analysis of personal data of individuals in the EU automatically counts as “monitoring”. It is necessary to consider the purpose of the controller when processing personal data and, in particular, any subsequent behavioral analysis or profiling methods associated with this data. The EDPB takes into account recital 24, according to which, in order to determine whether processing constitutes monitoring of the behavior of a data subject, the tracking of individuals online, including the potential subsequent use of profiling techniques, is key.
The data controller or processor is considered to monitor the behavior of data subjects located in the EU by virtue of Article 3(2)(b) of the Regulation for a wide range of activities, in particular:
- behavioral advertising;
- geographic localization activities, including for marketing purposes;
- online tracking using cookies or other tracking methods such as fingerprints;
- personalized health and nutrition analysis services;
- video surveillance;
- market research and other behavioral studies based on individual profiles;
- monitoring or regularly reporting on a person’s health status
An example is given in which a marketing company based in the United States is advising a French shopping center based on an analysis of customer movements throughout the center, collected by tracking them via Wi-Fi.
Analyzing the movements of customers inside the center by tracking via Wi-Fi will mean monitoring people's behavior. In this case, the conduct of the data subjects takes place in the EU, since the trading center is located in France. The marketing company, as data controller, is therefore obliged to comply with the requirements of the Regulation in relation to the processing of this data for this purpose in accordance with Article 3(2)(b) and, under Article 27, must appoint a representative in the EU.
[1] The definition of “institution” in the Regulation is therefore consistent with the definition given by the Court of Justice of the European Union (“CJEU”) in Weltimmo 2015 V NAIH (C-230/14). An organization can be "established" when it carries out "any real and effective activity - even minimal" through "stable arrangements" in the EU. The presence of one representative may be sufficient. Thus, Weltimmo was found to have an “establishment” in Hungary by using a Hungarian-language website that advertised real estate in Hungary (meaning it was considered to be “mainly or wholly directed at that State), using a local agent (who was responsible for debt collection and acting as a representative in administrative and judicial proceedings), and using a postal address and bank account for business purposes - even though Weltimmo was registered in Slovakia.
Contacts for additional information:
Director of the Corporate and Commercial Law Department at GRATA International (Moscow)
T.: +7 (495) 660 11 84
