Tag Archives: guidelines

The European Data Protection Board’s Revised Guidelines on the Territorial Scope of GDPR Are Out (With Some Interesting Examples). Check Them Out!

One of many innovations introduced by GDPR is its territorial scope.

In fact, the two main criteria defining the territorial scope of the GDPR – the establishment criterion (Art. 3.1 of GDPR) and the targeting criterion (Art. 3.2 of GDPR) – have been drafted in such a way to avoid easy way outs when it comes to the protection of individuals and their personal data.

Last November, the European Data Protection Board (“EDPB”) published a revised version of its Guidelines 3/2018 on the territorial scope of the GDPR, which provide some interesting remarks and examples on both the establishment and the targeting criteria. We will concentrate on a selection of a few of them.

THE ESTABLISHMENT CRITERION

EDPB suggests a threefold approach in determining whether or not certain processing of personal data falls within the scope of the GDPR on the basis of the establishment criterion.

1) Is there an establishment in the EU?

This is, of course, an answer that must be given having regard to the effective and real exercise of activities through stable arrangements, rather than to other formal circumstances, such as the legal form of a certain entity.

It is worth noting that, on the issue, the EDPB made sure to remind – by making reference to the Weltimmo case – that the threshold to be applied in determining whether or not an arrangement can be deemed as stable can be quite low, for example, when it comes to the provision of online services. Even a single employee may be sufficient to constituting a stable arrangement, if that employee acts with a sufficient degree of stability.

2) Is processing carried out in the context of the activities of the establishment?

The EDPB points out two factors that must be taken into consideration: (i) the relationship between a controller or processor outside the EU and its local establishment in the Union; and (ii) revenue raising in the EU.

3) There is no need that the processing takes place in the EU!

The place of processing is irrelevant, if processing takes place in the context of the activities of the establishment. So is the geographical location of the data subjects in question.

In addition to the threefold approach, the EDPB offers some hints on how the application of the establishment criterion me be affected by the relationship between the controller and the processor. To such regard, the first thing to note is that the relationship between a controller and a processor does not per se trigger the application of GDPR to both. Furthermore, it is more likely that the establishment within the EU of the controller will lead to the application of GDPR to the processor located abroad than vice versa. In fact, on one hand, when a controller subject to GDPR chooses a processor located outside the EU, the processor located outside the EU will become indirectly subject to the obligations imposed by GDPR by virtue of contractual arrangements under Art. 28 of GDPR. On the other hand, unless other factors are at play, the processor’s EU establishment will not per se trigger the application of GDPR to the non-EU controller, because by instructing the EU processor the non-EU controller is not carrying out any processing in the context of the activities of the processor in the EU.

THE TARGETING CRITERION

The first thing to which EDPB draws our attention to is a simple, yet important, fact. Whenever the targeting criterion leads to the application of GDPR to controllers or processors which are not EU-established, such controllers or processor will not benefit from the one-stop shop mechanism, allowing them to interact with only one Lead Supervisory Authority. That is an important factor to be taken into consideration when assessing the opportunity to establish an entity within the EU to offer services or monitor data subjects.

Having said that, the EDPB recommends a twofold approach for the targeting criterion.

1) Are data subjects “in the Union”?

Under the targeting criterion, GDPR will be applied to controllers or processors not established in the EU insofar as processing is related to the offering of goods and services to / monitoring of data subjects in the EU.

With regard to the presence of the data subject in the EU, no reference is made to any formal legal status of the data subject (e.g. residence or citizenship): it is sufficient that data subject are physically located in the EU at the moment of offering  goods or services or at the moment when their behaviors are being monitored.

Nevertheless, that will not be sufficient to extend the application of GDPR to such activities that are only inadvertently or incidentally targeting individuals in the EU. Hence, whenever processing relates to a service offered only outside the EU – which is not withdrawn by individuals entering the EU – the relevant processing will not be subject to GDPR.

2) Offering of goods or service / monitoring of data subjects’ behavior, yes or no?

The first activity triggering the application of the targeting criterion is the offering of goods or services. It is interesting to note, to such regard, how the EDPB recalls the CJEU case law on Council Regulation 44/2001 on jurisdiction. Although underlining some differences, the notion of “directing an activity” can be applied to assess the presence of a goods or services offer by non-EU controllers/processor.

The factors that the EDPB lists, considering them a good indication, especially in combination with one another, of an offer in the UE of goods and services, are taken from the Pammer case and they include:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States.

With reference to monitoring activities, the EDPB first reminds us that not only data subjects must be in the EU but, as a cumulative criterion, the monitored behavior must take place within the territory of the EU.

It then offers a fairly comprehensive list of examples of monitoring activities, including:

  • Behavioral advertisement;
  • Geo-localization activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioral studies based on individual profiles;
  • Monitoring or regular reporting on an individual’s health status.

EDPB EXAMPLES SUMMARIZED

Based on the above, here’s a summary of some interesting examples (with some not-so-obvious outcomes):

WITHIN THE TERRITORIAL SCOPE OF GDPR OUTSIDE THE TERRITORIAL SCOPE OF GDPR
Case Why? Case Why?
An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. The processing is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market. A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU. Absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union.
A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. Processing of personal data is carried out in the context of the activities of an establishment of a data controller in the Union. An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service. The service is not targeting individuals in the Union, but targets only individuals in Australia.
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up, via its city mapping application, is specifically targeting individuals in the Union. A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in. While the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service.

FDA’s Initial Thoughts on 3D Printing of Medical Devices Published Today

Curious about how regulations on 3D printing of medical device will evolve? Check out the draft guidance published today by the United States Food and Drug Administration (“FDA”). Comments and suggestions are welcome and should reach the FDA within the next 60 days.

The draft guidance looks interesting under a number of aspects. First of all, it provides a definition of additive manufacturing (“AM”), i.e., “a process that builds an object by iteratively building 2-dimensional (2D) layers and joining each layer below, allowing device manufacturers to rapidly alter designs without the need for retooling and to create complex devices built as a single piece.”

It also defines itself as a “leap-frog guidance” and clarifies that “leap frog guidances are intended to serve as a mechanism by which the Agency can share initial thoughts regarding emerging technologies that are likely to be of public health importance early in product development”, which is a nice way to say that the FDA recognizes that its thoughts are just initial and subject to change.

A number of caveats are singled out and manufacturers are invited to be careful about, and to design their quality systems so they take due account of:

  • device design, which can be altered in AM due to various factors (pixelation of features, various patient-matching techniques, effects of imaging, etc.)
  • software and software interactions;
  • machine parameters and environmental conditions;
  • material used (which can be raw material or recycled);
  • post-processing phase;
  • process validation and acceptance activities;
  • device testing;
  • cleaning and sterilization;
  • biocompatibility.

The FDA also believes that AM devices that are patient-matched should be subject to additional labelling information.

The draft guidance does not address the use or incorporation of biological, cellular, or tissue-based products in AM, which may require additional regulation. Also, point-of-care device manufacturing may raise additional technical considerations.

Electronic Medical Record: Italian Data Protection Authority Issues New Guidelines

On June 4, 2015, the Italian Data Protection Authority issued new guidelines governing the collection and processing of personal and sensitive data through the Electronic Medical Record.

  • What is an Electronic Medical Record?

A record, kept by a hospital or a healthcare center, containing patients’ clinical history at that specific hospital or healthcare center.

  • Patients’ rights

The guidelines set forth several rights to which patients treated at any hospital or healthcare center are entitled:

  1. Patients are entitled to decide whether the hospital or the healthcare center may store their data through an Electronic Medical Record. If a patient denies his/her consent, physicians will be able to rely only on information gathered during examination and treatment, as well as on information previously conveyed by the patient, if any. Denial of consent will not affect the possibility of being treated at the hospital/healthcare center.
  2. Specific consent is needed for the collection of certain categories of sensitive date, such as HIV infections, abortions, data relating to sexual assault. With respect to such data, patients will have the right to limit access to specific individuals/professionals.
  3. In addition to all rights granted by the Data Protection Code (such as the right to receive confirmation on the existence of personal/sensitive data, to know the origin of the data, the purpose and means of processing, as well as the logic applied to the processing) patients will also be entitled to receive information on each access to their Electronic Medical Record.
  • Hospitals and healthcare centers’ obligations

Hospitals and healthcare centers are required to provide patients with a thorough privacy notice concerning the processing of data through the Electronic Medical Record. Upon patients’ request, hospitals and healthcare centers shall also provide information concerning stored data and access logs to the Electronic Medical Record (including the professional accessing the data, date and time of access) within 15 days of the request. Patients will also be entitled to redact data or healthcare documentation that they do not wish to be included in their Electronic Medical Record.

The Data Protection Authority’s guidelines also address important technical aspects and provide that patients’ healthcare information contained in the Electronic Medical Record shall be segregated from other administrative data. Sensitive data will need to be encrypted. Furthermore, access to the record will be granted only to medical staff involved in the patient’s treatment and any access and processing will be recorded on log files to be kept by the hospital or healthcare center for at least 24 months.

Lastly, the guidelines set forth strict data breach requirements for hospitals and healthcare center, by providing that any data breach or unauthorized access shall be reported to the Data Protection Authority within 48 hours of knowledge of the breach. Failure to report will lead to the application of penalties.

See the Data Protection Authority’s presentation of the new guidelines

EMA Issues New Guidelines to Prevent Medication Errors

On April 14, 2015 the European Medicines Agency (“EMA”) released two drafts of good practice guides aimed at improving the reporting, evaluation and prevention of medication errors. The new guides are addressed to regulatory authorities, as well as the pharmaceutical industry.

Medication errors generally refer to unintended mistakes in the processes of prescribing, dispensing or administering of medicinal products in clinical practice and according to EMA they account for an estimated 18.7 – 56% of all adverse drug events among hospitalized patients.

The first guide released by EMA provides an overview of the main sources and types of medication errors, as well as measures to minimize the risks that such errors are made. The second guide, on the other hand, focuses on suspected adverse reactions caused by medication errors, providing guidance and recommendations on how to record, code, report and assess such errors.

The guidelines from EMA recommend a number of actions to marketing authorization holders, including the periodical reporting of information concerning medication errors. Recommendations to the industry include periodical safety update reports and risk management plans to be adopted for each marketed pharmaceutical product. The overall scope of these reporting obligations is to implement a real-life continuous evaluation of the risks and benefits of all medicines placed on the European market.

The two draft guidelines are now open to comments from all relevant stakeholders: the public consultation procedure will expire on June 14, 2015. The final version of the guidelines is expected to be finally adopted later in 2015.

More information and the new draft guides can be found here: http://www.ema.europa.eu/ema/index.jsp?curl=pages/news_and_events/news/2015/04/news_detail_002307.jsp&mid=WC0b01ac058004d5c1.