Territorial scope of the EU data protection law

 16 januari 2019 | Blog

The General Data Protection Regulation ("GDPR") has been applicable since the 25th of May 2018 and governs processing activities related to personal data. The GDPR has a significantly broader scope than its predecessor (Directive 95/46/EC) and seeks to extend the reach of EU data protection law to non-EU based organizations. The long-awaited Guidelines 3/2018 on the territorial scope of the GDPR ("Guidelines") have been published in draft and provide some guidance regarding the territorial scope of the GDPR.

How to determine GDPR applicability?

The GDPR applies if one or more of the following criteria are met:

  1. The EU establishment-criterion (Art. 3(1) GDPR);
  2. The EU targeting-criterion (Art. 3(2) GDPR); and
  3. Applicability by virtue of public international law (Art. 3(3) GDPR).

1)   The EU establishment-criterion

The GDPR is applicable to organizations, which are established in the EU and where personal data is processed in the context of this EU establishment.

CJEU law

The European Court of Justice ("CJEU") explained the concept of establishment in a broad manner. The concept is not limited to the legal form, but extends to "any real and effective activity exercised through stable arrangements" (Weltimmo v NAIH (C-230/14) Par. 31). The presence of a single representative or agent may be sufficient. Entities located within the EU that carry out activities that are 'inextricably linked' to the processing activities of the controller or processor located outside the EU may additionally cause an entity to be seen as an establishment (Google Spain, C-131/12, Par. 56). Regarding undertakings that exclusively offer services through the internet, the CJEU stated that "both the degree of stability of the arrangements and the effective exercise of activities must be interpreted in the light of the specific nature of the economic activities and the provisions of services concerned" (Weltimmo v NAIH, C-230/14, Par. 29).           There is no establishment within the EU merely because a website is accessible within the EU (Verein fur Konsumenteninformation, C-191/15, Par. 76).

EDPB Guidelines

In its Guidelines, the European Data Protection Board ("EDPB") identify different elements relevant to determine whether the processing activities at stake fall within the scope of Article 3(1) GDPR.

Establishment in the EU

The starting point of the assessment is identifying whether an entity acts as a (joint) controller or a processor having an establishment in the EU. Whether a certain entity has an establishment within the EU, depends on the stability of arrangements and on the effective exercise of activities in a Member State, combined with the specific circumstances of the economic activities.

Processing is carried out in the context of the activities of an establishment in the EU

According to the EDPB, it is key to look for links between the activity for which the data are being processed and the activities of any presence of the organization in the EU (Google Spain 131/12, Par. 56). Additionally, the relationship between a data controller or processor outside the EU and a local establishment within the EU and revenue raising are important indicators as to whether the GDPR is applicable (reference is made to the CJEU law cited above).

Place of processing is irrelevant

The GDPR may be applicable to processing activities regardless of whether these activities take place within the EU. The applicability depends on the presence of a controller or processors aan establishment within the EU and the fact that processing takes place in the context of activities of this presence. The location of processing is thus not relevant.

Relationship controller vs processor

The EDPB specifically states that a processor located within the EU should not be deemed as an establishment of a controller outside the EU, merely because of the controller-processor relation. The EDPB also clarifies that, in case one of the entities is not located within the EU, a controller-processor relationship does not necessarily trigger the application of the GDPR to both entities. It is however possible that the GDPR will become indirectly applicable to the entity established outside the EU, due to the obligations that are laid upon the other party by the GDPR.

Obligations of the controller or processor

The controller that falls within the scope of the GDPR, has to comply with all its obligations. Controllers who fall outside the scope of the GDPR are not directly bound by the obligations of the GDPR. However, the processor that is bound by the GDPR may only follow up the instructions of the controller insofar as they are in line with the GDPR.

A processor that falls outside the scope of the GDPR still has to adhere to the provisions of the processing agreement, which the controller within the scope of the GDPR has to conclude. If the processor falls within the scope of the GDPR where the controller does not, it will be subject to the following relevant GDPR provisions (if applicable):

  • Obligations that would follow from a data processing agreement as per Article 28(2), (3), (4), (5) and (6);
  • Record keeping as per Article 30(2);
  • Cooperation with the supervisory authority as per Article 31;
  • Implementation of technical and organizational measures as per Article 32;
  • Notification of data breaches to the controller as per Article 33;
  • Designation of a data protection officer as per Articles 37 and 38;
  • Obligations regarding transfers of personal data as per Chapter V.

2)   Non-EU organization: The targeting-criterion

The GDPR may also be applicable to non-EU organizations based on the targeting-criterion (Art. 3(2) GDPR). This is the case if the processing of personal data of data subjects who are in the EU are related to:

  1. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
  2. The monitoring of their behavior as far as their behavior takes place within the EU.

EDPB Guidelines

A two-step approach is recommended by the EDPB to determine whether Article 3(2) GDPR is applicable.

The processing activities relate to data subjects who are in the EU

This threshold is quite straightforward. Data protection is not limited to citizenship, as follows from the Charter of Fundamental Rights of the EU. The GDPR thus applies to everyone located within the EU during the triggering activity, which consists of either the offering of goods or services, or the monitoring of behavior.

Offering goods or services

This criterion is met when an offer is directed at a natural person in the EU. As follows from Recital 23 GDPR, the conduct of the controller or processor must show an intention to deliver goods or services to data subjects in the EU. 

The CJEU clarified what 'to direct an activity' implies (joined cases C-585/08 and C-144/099). The CJEU stated that there must be evidence of the intention to do business with consumers located in another Member State prior to the conclusion of a contract with that consumer (Par. 76). A number of factors are listed which, according to the EDPB, could be taken into consideration when assessing the applicability of Article 3(2)(a) GDPR.

What lacks is an answer to the question whether the targeting of undertakings also falls within the scope of Article 3(2)(a) GDPR. Additionally, it remains unclear whether services that are partly executed in the EU, but initially offered outside the EU, are to comply with the GDPR.

Monitoring of data subject's behavior

The behavior that is monitored must be related to a person in the EU and the monitored behavior must take place within the EU territory. Monitoring does entail online tracking and  also includes other types of monitoring by means of a network or technology such as CCTV and geo-localization activities.

The EDPB clarifies that 'monitoring' refers to a specific purpose for which the controller collects and reuses personal data related to the behavior of the data subject within the EU. The mere online collection of personal data would not automatically fall within the definition of monitoring. A key consideration is whether the action contains the tracking of data subjects followed by a potential subsequent use of profiling techniques.

The EDPB furthermore states that, additionally, the processing activities related to the triggering activity the offering of goods or services or the monitoring of behavior fall within the scope of the GDPR as well.

The abovementioned assessment is in additionally of importance, as entities who fall within this scope need to appoint a representative in the EU based on Article 27 GDPR, unless they are able to invoke one of the exceptions of Article 27(2) GDPR. This representative shall not be deemed as an establishment as mentioned in Article 3(1) GDPR.

3)   Non-EU organization: Public international law

The GDPR applies to the processing of personal data by non-EU controllers where national law applies by virtue of public international law. This criterion is applicable in case of, for instance, diplomatic and consular posts, and in case of EU (cruise) ships travelling on international waters.

Way forward

Although the Guidelines are not yet final, the GDPR is. It is thus important to start thinking about the worldwide data streams within your company, as they might fall within the scope of the GDPR. Non-EU organizations should thus also make sure they understand the rules of the GDPR and its impact. 

The General Data Protection Regulation ("GDPR") has been applicable since the 25th of May 2018 and governs processing activities related to personal data. The GDPR has a significantly broader scope than its predecessor (Directive 95/46/EC) and seeks to extend the reach of EU data protection law to non-EU based organizations. The long-awaited Guidelines 3/2018 on the territorial scope of the GDPR ("Guidelines") have been published in draft and provide some guidance regarding the territorial scope of the GDPR.

How to determine GDPR applicability?

The GDPR applies if one or more of the following criteria are met:

  1. The EU establishment-criterion (Art. 3(1) GDPR);
  2. The EU targeting-criterion (Art. 3(2) GDPR); and
  3. Applicability by virtue of public international law (Art. 3(3) GDPR).

1)   The EU establishment-criterion

The GDPR is applicable to organizations, which are established in the EU and where personal data is processed in the context of this EU establishment.

CJEU law

The European Court of Justice ("CJEU") explained the concept of establishment in a broad manner. The concept is not limited to the legal form, but extends to "any real and effective activity exercised through stable arrangements" (Weltimmo v NAIH (C-230/14) Par. 31). The presence of a single representative or agent may be sufficient. Entities located within the EU that carry out activities that are 'inextricably linked' to the processing activities of the controller or processor located outside the EU may additionally cause an entity to be seen as an establishment (Google Spain, C-131/12, Par. 56). Regarding undertakings that exclusively offer services through the internet, the CJEU stated that "both the degree of stability of the arrangements and the effective exercise of activities must be interpreted in the light of the specific nature of the economic activities and the provisions of services concerned" (Weltimmo v NAIH, C-230/14, Par. 29).           There is no establishment within the EU merely because a website is accessible within the EU (Verein fur Konsumenteninformation, C-191/15, Par. 76).

EDPB Guidelines

In its Guidelines, the European Data Protection Board ("EDPB") identify different elements relevant to determine whether the processing activities at stake fall within the scope of Article 3(1) GDPR.

Establishment in the EU

The starting point of the assessment is identifying whether an entity acts as a (joint) controller or a processor having an establishment in the EU. Whether a certain entity has an establishment within the EU, depends on the stability of arrangements and on the effective exercise of activities in a Member State, combined with the specific circumstances of the economic activities.

Processing is carried out in the context of the activities of an establishment in the EU

According to the EDPB, it is key to look for links between the activity for which the data are being processed and the activities of any presence of the organization in the EU (Google Spain 131/12, Par. 56). Additionally, the relationship between a data controller or processor outside the EU and a local establishment within the EU and revenue raising are important indicators as to whether the GDPR is applicable (reference is made to the CJEU law cited above).

Place of processing is irrelevant

The GDPR may be applicable to processing activities regardless of whether these activities take place within the EU. The applicability depends on the presence of a controller or processors aan establishment within the EU and the fact that processing takes place in the context of activities of this presence. The location of processing is thus not relevant.

Relationship controller vs processor

The EDPB specifically states that a processor located within the EU should not be deemed as an establishment of a controller outside the EU, merely because of the controller-processor relation. The EDPB also clarifies that, in case one of the entities is not located within the EU, a controller-processor relationship does not necessarily trigger the application of the GDPR to both entities. It is however possible that the GDPR will become indirectly applicable to the entity established outside the EU, due to the obligations that are laid upon the other party by the GDPR.

Obligations of the controller or processor

The controller that falls within the scope of the GDPR, has to comply with all its obligations. Controllers who fall outside the scope of the GDPR are not directly bound by the obligations of the GDPR. However, the processor that is bound by the GDPR may only follow up the instructions of the controller insofar as they are in line with the GDPR.

A processor that falls outside the scope of the GDPR still has to adhere to the provisions of the processing agreement, which the controller within the scope of the GDPR has to conclude. If the processor falls within the scope of the GDPR where the controller does not, it will be subject to the following relevant GDPR provisions (if applicable):

  • Obligations that would follow from a data processing agreement as per Article 28(2), (3), (4), (5) and (6);
  • Record keeping as per Article 30(2);
  • Cooperation with the supervisory authority as per Article 31;
  • Implementation of technical and organizational measures as per Article 32;
  • Notification of data breaches to the controller as per Article 33;
  • Designation of a data protection officer as per Articles 37 and 38;
  • Obligations regarding transfers of personal data as per Chapter V.

2)   Non-EU organization: The targeting-criterion

The GDPR may also be applicable to non-EU organizations based on the targeting-criterion (Art. 3(2) GDPR). This is the case if the processing of personal data of data subjects who are in the EU are related to:

  1. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
  2. The monitoring of their behavior as far as their behavior takes place within the EU.

EDPB Guidelines

A two-step approach is recommended by the EDPB to determine whether Article 3(2) GDPR is applicable.

The processing activities relate to data subjects who are in the EU

This threshold is quite straightforward. Data protection is not limited to citizenship, as follows from the Charter of Fundamental Rights of the EU. The GDPR thus applies to everyone located within the EU during the triggering activity, which consists of either the offering of goods or services, or the monitoring of behavior.

Offering goods or services

This criterion is met when an offer is directed at a natural person in the EU. As follows from Recital 23 GDPR, the conduct of the controller or processor must show an intention to deliver goods or services to data subjects in the EU. 

The CJEU clarified what 'to direct an activity' implies (joined cases C-585/08 and C-144/099). The CJEU stated that there must be evidence of the intention to do business with consumers located in another Member State prior to the conclusion of a contract with that consumer (Par. 76). A number of factors are listed which, according to the EDPB, could be taken into consideration when assessing the applicability of Article 3(2)(a) GDPR.

What lacks is an answer to the question whether the targeting of undertakings also falls within the scope of Article 3(2)(a) GDPR. Additionally, it remains unclear whether services that are partly executed in the EU, but initially offered outside the EU, are to comply with the GDPR.

Monitoring of data subject's behavior

The behavior that is monitored must be related to a person in the EU and the monitored behavior must take place within the EU territory. Monitoring does entail online tracking and  also includes other types of monitoring by means of a network or technology such as CCTV and geo-localization activities.

The EDPB clarifies that 'monitoring' refers to a specific purpose for which the controller collects and reuses personal data related to the behavior of the data subject within the EU. The mere online collection of personal data would not automatically fall within the definition of monitoring. A key consideration is whether the action contains the tracking of data subjects followed by a potential subsequent use of profiling techniques.

The EDPB furthermore states that, additionally, the processing activities related to the triggering activity the offering of goods or services or the monitoring of behavior fall within the scope of the GDPR as well.

The abovementioned assessment is in additionally of importance, as entities who fall within this scope need to appoint a representative in the EU based on Article 27 GDPR, unless they are able to invoke one of the exceptions of Article 27(2) GDPR. This representative shall not be deemed as an establishment as mentioned in Article 3(1) GDPR.

3)   Non-EU organization: Public international law

The GDPR applies to the processing of personal data by non-EU controllers where national law applies by virtue of public international law. This criterion is applicable in case of, for instance, diplomatic and consular posts, and in case of EU (cruise) ships travelling on international waters.

Way forward

Although the Guidelines are not yet final, the GDPR is. It is thus important to start thinking about the worldwide data streams within your company, as they might fall within the scope of the GDPR. Non-EU organizations should thus also make sure they understand the rules of the GDPR and its impact. 

Meld u aan voor onze nieuwsbrieven
Gerelateerde expertises