One of many innovations introduced by GDPR is its territorial scope.
In fact, the two main criteria defining the territorial scope of the GDPR – the establishment criterion (Art. 3.1 of GDPR) and the targeting criterion (Art. 3.2 of GDPR) – have been drafted in such a way to avoid easy way outs when it comes to the protection of individuals and their personal data.
Last November, the European Data Protection Board (“EDPB”) published a revised version of its Guidelines 3/2018 on the territorial scope of the GDPR, which provide some interesting remarks and examples on both the establishment and the targeting criteria. We will concentrate on a selection of a few of them.
THE ESTABLISHMENT CRITERION
EDPB suggests a threefold approach in determining whether or not certain processing of personal data falls within the scope of the GDPR on the basis of the establishment criterion.
1) Is there an establishment in the EU?
This is, of course, an answer that must be given having regard to the effective and real exercise of activities through stable arrangements, rather than to other formal circumstances, such as the legal form of a certain entity.
It is worth noting that, on the issue, the EDPB made sure to remind – by making reference to the Weltimmo case – that the threshold to be applied in determining whether or not an arrangement can be deemed as stable can be quite low, for example, when it comes to the provision of online services. Even a single employee may be sufficient to constituting a stable arrangement, if that employee acts with a sufficient degree of stability.
2) Is processing carried out in the context of the activities of the establishment?
The EDPB points out two factors that must be taken into consideration: (i) the relationship between a controller or processor outside the EU and its local establishment in the Union; and (ii) revenue raising in the EU.
3) There is no need that the processing takes place in the EU!
The place of processing is irrelevant, if processing takes place in the context of the activities of the establishment. So is the geographical location of the data subjects in question.
In addition to the threefold approach, the EDPB offers some hints on how the application of the establishment criterion me be affected by the relationship between the controller and the processor. To such regard, the first thing to note is that the relationship between a controller and a processor does not per se trigger the application of GDPR to both. Furthermore, it is more likely that the establishment within the EU of the controller will lead to the application of GDPR to the processor located abroad than vice versa. In fact, on one hand, when a controller subject to GDPR chooses a processor located outside the EU, the processor located outside the EU will become indirectly subject to the obligations imposed by GDPR by virtue of contractual arrangements under Art. 28 of GDPR. On the other hand, unless other factors are at play, the processor’s EU establishment will not per se trigger the application of GDPR to the non-EU controller, because by instructing the EU processor the non-EU controller is not carrying out any processing in the context of the activities of the processor in the EU.
THE TARGETING CRITERION
The first thing to which EDPB draws our attention to is a simple, yet important, fact. Whenever the targeting criterion leads to the application of GDPR to controllers or processors which are not EU-established, such controllers or processor will not benefit from the one-stop shop mechanism, allowing them to interact with only one Lead Supervisory Authority. That is an important factor to be taken into consideration when assessing the opportunity to establish an entity within the EU to offer services or monitor data subjects.
Having said that, the EDPB recommends a twofold approach for the targeting criterion.
1) Are data subjects “in the Union”?
Under the targeting criterion, GDPR will be applied to controllers or processors not established in the EU insofar as processing is related to the offering of goods and services to / monitoring of data subjects in the EU.
With regard to the presence of the data subject in the EU, no reference is made to any formal legal status of the data subject (e.g. residence or citizenship): it is sufficient that data subject are physically located in the EU at the moment of offering goods or services or at the moment when their behaviors are being monitored.
Nevertheless, that will not be sufficient to extend the application of GDPR to such activities that are only inadvertently or incidentally targeting individuals in the EU. Hence, whenever processing relates to a service offered only outside the EU – which is not withdrawn by individuals entering the EU – the relevant processing will not be subject to GDPR.
2) Offering of goods or service / monitoring of data subjects’ behavior, yes or no?
The first activity triggering the application of the targeting criterion is the offering of goods or services. It is interesting to note, to such regard, how the EDPB recalls the CJEU case law on Council Regulation 44/2001 on jurisdiction. Although underlining some differences, the notion of “directing an activity” can be applied to assess the presence of a goods or services offer by non-EU controllers/processor.
The factors that the EDPB lists, considering them a good indication, especially in combination with one another, of an offer in the UE of goods and services, are taken from the Pammer case and they include:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
- The data controller offers the delivery of goods in EU Member States.
With reference to monitoring activities, the EDPB first reminds us that not only data subjects must be in the EU but, as a cumulative criterion, the monitored behavior must take place within the territory of the EU.
It then offers a fairly comprehensive list of examples of monitoring activities, including:
- Behavioral advertisement;
- Geo-localization activities, in particular for marketing purposes;
- Personalized diet and health analytics services online;
- Market surveys and other behavioral studies based on individual profiles;
- Monitoring or regular reporting on an individual’s health status.
EDPB EXAMPLES SUMMARIZED
Based on the above, here’s a summary of some interesting examples (with some not-so-obvious outcomes):
|WITHIN THE TERRITORIAL SCOPE OF GDPR||OUTSIDE THE TERRITORIAL SCOPE OF GDPR|
|An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets.||The processing is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market.||A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU.||Absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union.|
|A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France.||Processing of personal data is carried out in the context of the activities of an establishment of a data controller in the Union.||An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service.||The service is not targeting individuals in the Union, but targets only individuals in Australia.|
|A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome.||The US start-up, via its city mapping application, is specifically targeting individuals in the Union.||A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in.||While the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service.|