The European Data Protection Board (« EDPB ») issued a new draft guideline (“Guideline 3/2018”) on the territorial scope of the General Data Protection Regulation (“GDPR”).
The Guideline 3/2018 brings long awaited clarifications on questions in relation to the criteria of “establishment” and “targeting”, processing in places where Member State law applies by virtue of public international law (which will not be analysed here) and the need for a representative for controllers or processors not established in the EU.
As a reminder, Article 3 GDPR foresees that the EU Regulation applies to processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the EU or not.
The EU legislator’s intention was, with regard to territorial scope, to establish a level playing field for companies active in the EU markets, in a context of worldwide data flows.
The territorial scope uses two main criteria: establishment (1) and targeting (2). If one of these 2 criteria is met, the relevant provisions of the GDPR will apply. In cases where the controller or the processor does not have an establishment in the EU, he must designate a EU representative (3).
(This article gives an overview only of the Guideline 3/2018 and shall not be considered as exhaustive and/or legal advice.)
- Establishment
The GDPR does not provide a definition of the term “establishment” for the purpose of Article 3. However, the EDPB reminded that ECJ Case law on the interpretation of this term remains applicable (see for example ECJ Google Spain and ECJ Weltimmo). While the Guideline 3/2018 confirms that the interpretation of the term establishment is broad (and the legal form of the establishment is irrelevant), it also insisted that is not without limits (e.g. the mere fact that an undertaking’s website is accessible in a Member State of the EU is not sufficient to conclude that it has an establishment).
Another interesting clarification provided by the Guideline 3/2018 is that processing by the establishment is not necessary: it is sufficient that the processing is carried out “in the context of the activities” (EDPB also refers to applicable EU Case Law to understand this difference).
The Guideline 3/2018 further confirms that, with regard to “processing in the context of the activities”, location and nationality of the data subjects who are in the EU is not relevant. This means that neither the controller / processor, nor the data subjects need to be in EU in order for the GDPR to apply.
- Targeting
The EDPB reminds that the absence of an establishment in the EU does not mean that a data controller or procession is excluded from the scope of GDPR (However, it is also reminded that in the absence of an establishment, the data controller or processor cannot benefit from the one-stop shop)
To see whether the targeting criteria applies (i.e. criteria applicable to a controller or processor without an establishment in the EU) the EDPB recommends to:
- determine that the processing relates to personal data of data subjects who are in the EU and
- whether it relates to the offering of goods or services or to the monitoring of data subject’s behavior in the EU.
- Data subjects in the EU
The EDPB reminds that this criteria is not limited by citizenship, residence or other type of legal status. This criterion must be assessed at the moment when the relevant trigger activity takes place (i.e. moment of offering goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer). The EDPB however also reminds that the processing alone is not sufficient, the controller or processor must also target individuals in the EU.
These 2 examples provided in the Guideline 3/2018 helps to clarify the distinction:
Example GDPR is applicable
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2).
Example GDPR is not applicable
A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers is not subject to the GDPR.
- Offering of goods and services
The Guideline 3/2018 referred once more to EU law and Case law where the concept of these terms have already been defined and reminding that the payment by the data subject for the offered goods or services is not a criteria to fall within the territorial scope of GDPR.
The Guideline 3/2018 then mentions that ECJ Case Law Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Case Law on the interpretation of the Brussel I Regulation which clarifies when a trader is directing his activity towards the Member State of the consumer’s domicile) might be of assistance to determine whether goods or services are offered to a data subject in the EU. The Guideline provides a non-exclusive list of factors that may be taken into consideration:
– The EU or at least one Member State is designated by name with reference to the good or service offered;
– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
– The international nature of the activity at issue, such as certain tourist activities;
– The mention of dedicated addresses or phone numbers to be reached from an EU country
– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
– The description of travel instructions from one or more other EU Member States to the place where the service is provided;
– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
– The data controller offers the delivery of goods in EU Member States.
The following examples provided by the Guideline 3/2018 clarify when goods or services are offered to EU data subjects in a manner that renders GDPR applicable or not:
Example GDPR is applicable
A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union.
Example GDPR is not applicable
A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer 17 Adopted of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned
- Monitoring of data subject’s behaviour
The Guideline clarifies that behavioural monitoring can be undertaken not only through the internet (as suggested by Recital 24 GDPR), but also other types of network or technology (e.g.. wearable and other smart devices). Other than for offering of goods and services, monitoring does not require an “intention to target” to trigger the application of the GDPR, it is sufficient that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data.
The mere collection of data is not automatically considered as monitoring. The purpose of the processing needs to be considered (e.g. the subsequent behavioural analysis or profiling techniques).
Monitoring activities include, among others:
– Behavioural advertisement
– Geo-localisation activities, in particular for marketing purposes
– Online tracking through the use of cookies or other tracking techniques such as fingerprinting
– Personalised diet and health analytics services online – CCTV – Market surveys and other behavioural studies based on individual profiles
– Monitoring or regular reporting on an individual’s health status
- Representatives of controllers or processors not in the EU
If a data controller or processor is subject to the GDPR, he shall designate a representative in the EU. The EDPB clarified that this provision was not entirely new and already existing under the previous Directive 95/46/EC.
It is also clarified that the designation of an EU representative will not be considered as an “establishment” by virtue of article 3(1) GDPR.
The written mandate given to the EU representative will typically be a service contract concluded with an individual or an organization (e.g. law firms, consultancies, private companies etc…) provided that these individuals / organizations are established in the EU. If the representative is a company or any other type of organization, it is recommended that a lead person (person in charge) within the company / organization is appointed.
The EDPB also confirmed that, in their view, the role of EU representative is not compatible with the external data protection officer (DPO).
The Guideline 3/2018 also clarifies the obligations and responsibilities of the EU representative.
While not itself responsible for complying with data subject rights, the legal representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights effective. The EDPB further considers that the maintenance of a record of processing activities is a joint obligation of the controller and the processor and that if they are not established in the EU, they must provide to the representative with all accurate and updated information so that the record can be maintained and made available by the representative.
The EU representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union.
With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.
It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.
- Conclusion
The Guideline 3/2018 provides useful insight on the scope of GDPR to controllers and processors outside the EU and the role of the EU representative. Unfortunately, the Guideline 3/2018 (in its current draft form) does not provide any further specifications on the responsibility of a controller or processor that falls within the scope of GDPR, but does not comply with it and how such third country controller / processor will be sanctioned. Hopefully there will be some further clarification on this point in the final version of Guideline 3/2018. Indeed, the draft version is still subject to comments from the public until 18 January 2019. Thereafter, a final version of the Guideline 3/2018 will be published.