European Data Protection Board ("EDPB") recently published the Guidelines on Territorial Scope of the GDPR ("Guidelines") as adopted after public consultation (Guidelines 3/2008 on the territorial scope of the GDPR (Article 3) - Version 2.1 of 7 January 20201).
The Guidelines provide guidance and clarification on the application and interpretation of Article 3 of the General Data Protection Regulation ("GDPR" or "Regulation") of the European Union ("EU"), which regulates the scope of GDPR's application including its extraterritorial application (i.e. to non-EU data controllers).
Extraterritorial scope of GDPR is especially important for non-EU data controllers as it may have an impact on them even if they are unaware of GDPR or extension of its application to non-EU jurisdictions. For example, the location of the processing is irrelevant for the application of the Regulation and as such, GDPR may be applicable in terms of processing activities conducted entirely outside the EU borders by non-EU data controllers.
In that regard, companies outside the EU, who have business relations and commercial activities within the EU or in connection with individuals within EU borders, must bear in mind the extraterritorial scope of GDPR and evaluate their activities in terms of GDPR's applicability.
As an overview, according to Article 3 of the Regulation, GDPR applies to the following processing activities:
(i) The processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
(ii) The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities relates to:
- the offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
(iii) The processing of personal data by a controller not established in the EU, but in a place where EU Member State law applies by virtue of public international law.
In light of the foregoing, GDPR may apply to non-EU data controllers/ processors by (i) the establishment criterion per Article 3(1), (ii) the targeting criteria per Article 3(2) and (iii) the virtue of public international law Article 3(3).
Establishment Criterion - Article 3(1) At first, the establishment criterion seems to determine the application of the GDPR to data controllers/ processors located in the EU by way establishment. If a data controller/ processor is established within the EU, the GDPR applies to its processing activities based on this criterion. However, this is not the complete picture and it is possible that GDPR applies to non-EU data controllers/processors through this criterion even if they are established and their processing activity takes place outside the EU.
In the Guidelines, the EDPB recommends a "threefold approach" to determine whether the processing of personal data falls within the scope of GDPR per Article 3/1 of the Regulation. In that regard, there has to be "an establishment in the EU" within the meaning of the EU data protection law and a "processing in the context of the activities of [that] establishment". The GDPR will apply regardless of whether the processing takes place in the EU or not once the data controller's activities meet the foregoing two conditions.
An establishment in the EU:
Recital 22 of the GDPR states that an "[e]stablishment implies the effective and real exercise of activities through stable arrangements" and explains that "[t]he legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."
In that regard, establishment does not necessarily require that the data controller/processor have a registered branch or subsidiary within the EU. The existence of a "stable arrangement" is sufficient to have an establishment in the EU within the meaning of EU data protection law.
The Guidelines emphasize that "[t]he threshold for 'stable arrangement' can actually be quite low" for online services and that even the existence of one employee or agent within the EU may be sufficient for data controllers to meet the "stable arrangement" threshold depending on the stability of such arrangement.
The Guidelines confirm that the notion of establishment within the meaning of GDPR is quite broad. That said, the EDPB also indicates that the mere existence of an employee in the EU or the accessibility, in the EU, of the website of a data controller/
processor alone is not sufficient to conclude that the relevant data controller/processor has an establishment in the Union.
Therefore, according to the Guidelines, to conclude an establishment within the meaning of EU data protection law, there has to be stable arrangements of the non-EU data controller/ processor (with a sufficient degree of stability) through which it conducts effective and real exercise of its activities in the EU.
Example: A spare parts manufacturing company established and located in Turkey has a branch office located in Frankfurt that oversees all its operations in Germany, including marketing and advertisement activities. The German branch might be considered as a stable arrangement for exercising real and effective activities in terms of relevant company's economic activities. Therefore, the relevant branch might be considered as an establishment in the EU within the meaning of GDPR.
Processing of personal data carried out in the context of activities of an establishment
The existence of an establishment in the EU is not sufficient to trigger the application of the GDPR. The processing in question should also be "in the context of the activities" of that establishment. That said, the Guidelines explicitly state it is not necessary that the relevant processing is carried out "by" that establishment [in the EU] and that it is sufficient for application of the GDPR if the processing is carried out in the context of that establishment's activities. To that end, the Guidelines explain that a case-by-case analysis is necessary to determine whether the processing is carried out in the context of the activities of the establishment in the EU.
The Guidelines provide two considerations to help determine whether the processing is in the context of the activities of the establishment in the EU.
Relationship between the non-EU data controller/processor and its establishment in the EU: If there is an "inextricable link" between the processing carried out by the non-EU data controller/processor and the activities of its EU establishment, GDPR will apply regardless of whether the EU establishment plays a role in the processing or not.
Revenue raising in the EU: If the establishment in the EU raises revenue in a way that is "inextricably linked" to the processing of personal data by the non-EU data controller/ processor, it may be indicative of the fact that the relevant processing is carried out in the context of the activities of the EU establishment.
Based on the foregoing, EDPB recommends that non-EU organizations first assess whether they process personal data and secondly identify links between the activities for which they process personal data and the activities of their presence (establishment) in the EU. Once they identify such a link, the non-EU organizations must assess whether GDPR applies to the relevant processing taking into account the foregoing two factors (one of which might be sufficient to determine that GDPR should apply).
Example: An e-commerce website operated by a company based in China has an office in Berlin, Germany to conduct marketing activities for its platform towards the EU market. The company process personal data of its customers for marketing purposes including those pursued by its Berlin office. The Berlin office constitute an establishment in the EU for the company. Moreover, the activities in connection with processing of personal data related to EU sales is inextricably linked to the marketing and promotional activities of the Berlin office. Therefore, the processing of personal data related to EU sales by the Chinese company might be deemed processing in the context of activities of an establishment of the data controller in the EU and the GDPR applies to the relevant processing by virtue of Article 3/1 of the Regulation.
Lastly, non-EU data controllers/ processors should note that the place of processing is irrelevant in terms of application of the GDPR per Article 3(1) of the Regulation. In other words, where the conditions set forth under Article 3(1) of the Regulation exist, GDPR applies regardless of whether the processing takes place in the EU or not.
Targeting Criterion - Article 3(2)
The absence of an establishment in the EU within the meaning of Article 3(1) of the Regulation does not necessarily exclude the processing activities of a non-EU data controller/processor from the scope of GDPR automatically. Regardless of whether they have an establishment in the EU or not, Article 3(2) of the Regulation determines two activities, where the GDPR applies to non-EU data controllers, if they target data subjects in the EU through such activities: (i) offering of goods or services; and (ii) monitoring of behavior.
In that regard, EDPB recommends first to determine whether the processing relates to personal data of data subjects who are in the EU and then whether it relates to the offering of goods or services or to the monitoring of behaviour.
Data subjects in the EU: The Guidelines explicitly state that, while the targeting should be intentional and not incidental, the application of the targeting criterion through data subjects in the EU is not limited by citizenship, residency or any other type of legal status.
Example: The Guidelines provide that (i) a mobile news service operating in a non-EU country, whose subscriber continues to receive contents while in the EU does not necessarily trigger the targeting criterion; while (ii) a city mapping/navigation service of a company established outside EU, which includes cities within the EU such as Paris and Rome in addition to other cities around the world, might trigger the targeting criterion.
Offering of goods or services - Article 3(2)(a)
If the processing of personal data of data subjects in the EU relates to offering of goods or services to data subjects in the EU, such processing triggers application of the GDPR through Article 3(2)(a) of the Regulation. Such application takes place regardless of whether a payment is required and the Guidelines clarify that information society services are also within the scope of "goods and services".
According to the Guidelines, the key element to assess is "whether the offer of goods or services is directed at a person in the [EU]". To that end, the Guidelines further explain that
the conduct of the data controller must "demonstrate its intention" to offer goods or services to data subjects in the EU. Similarly, Recital 23 of the GDPR clarifies that it should be "apparent" that the data controller/processor envisages offering goods or services to data subjects in the EU.
The Guidelines and the EDPB confirm that mere accessibility of a website from the EU territory; or inadvertent or incidental provision of goods or services to a person in the EU territory do not necessarily trigger the application of GDPR by virtue of the targeting criterion.
After advising to take into account the facts of each case, EDPB points out certain factors that might be taken into consideration when determining whether the processing activity relates to offering of goods or services to data subjects in the EU. Some of these factors are as follows:
- designation of an EU member state by name with reference to the offering
- payment to a search engine operator for an internet referencing service in order to facilitate access by consumers in the EU
- dedicated addresses or phone numbers for EU countries
- use of a top-level domain other than that of the non-EU country where the data controller is established
- presentation of accounts written by customers from various EU member states
- use of a language or a currency of one or more of EU member states
- offering delivery of goods in EU member states
Example: The Guidelines evaluate the hypothetical case of a website, based and managed in Turkey, which is available in English, French, Dutch and German; and which accepts payment in Euros and states that products may be delivered to France, Benelux countries and Germany but only by post. The Guidelines state that such activity might be considered as offering of goods and services to and targeting persons in the EU. Accordingly, the company operating the website is considered subject to GDPR as a non-EU data controller.
Monitoring of behaviour - Article 3(2)(b)
The processing activity related to monitoring of data subject behaviour might also trigger application of the GDPR; if the data subjects are in the EU and their monitored behaviour takes place in the EU.
According to Recital 24 of the GDPR, monitoring consist of tracking natural persons on the internet "including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning that person; or for analysing or predicting that person's personal preferences, behaviours and attitudes." Additionally, EDPB explains that "tracking through other types of network or technology involving personal data" might also result in concluding that the relevant processing activity constitutes behavioural monitoring (e.g. wearable and other smart devices).
EDPB also confirms that any collection or analysis of personal data of individuals in the EU would not automatically count as "monitoring"; and that it is necessary to consider the data controller's purposes for processing the relevant personal data and especially any subsequent "behavioural analysis" or "profiling techniques" used.
The Guidelines provide the following as examples of monitoring activities that might trigger application of the GDPR through Article 3(2)(b) of the Regulation:
- behavioural advertisement
- geo-localisation activities for marketing purposes
- personalised diet and health analytics services online
- market surveys and other behavioural studies based on individual profiles
- monitoring or regular reporting on an individual's health status
Example: According to the Guidelines, a consultancy company, which provides advice on retail layouts to its customers by way of tracking customer movement within their shops in the EU through Wi-Fi analysis might be subject to GDPR. This is because the tracking of customers might be considered as monitoring activity and the customers in EU shops are data subjects in the EU territory.
Non-EU processors In order to determine whether the processing activities of a processor not established in the EU may be subject to the GDPR per the targeting criterion, the Guidelines state that the relation between the processing activities of the processor and the targeting activities of the data controller should be evaluated.
EDBP explicitly states that: if the processing activities of the non-EU processor relates to the offering of goods and services or to the monitoring of individuals' behaviour in the EU, any non-EU processor, which is instructed to carry out that processing activity on behalf of the data controller will fall within the scope of GDPR per Article 3(2) of the Regulation.
Example: An app developer established outside EU monitors behaviour of data subjects in the EU and is therefore subject to the GDPR. The developer uses a nonEU processor for the purposes of optimizing and maintaining the application. The non-EU processor's activity is not related to the monitoring of data subjects in the EU and therefore is not subject to the GDPR. That said, the app developer is required to use appropriate processors and ensure its obligations under the GDPR per Article 28 of the Regulation.
Example: The Guidelines also provide the following example: a Turkish company offers package travels to individuals in the EU and its processing activity in that regard is subject to the GDPR per Article 3(2) of the Regulation. Additionally, the company uses a call center in Tunisia to contact former customers in the EU for feedback and marketing purposes. The activities of the Tunisian processor is related to offer of services by the controller and the processor actively takes part in carrying out controller's targeting activities. Therefore, the Tunisian processor is also subject to the GDPR per Article 3(2) of the Regulation.
In light of the foregoing, non-EU data controllers/processors might benefit from the following checklist while determining whether their processing activities fall within the extraterritorial scope of the GDPR:
1. Do you have any presence in the EU through a subsidiary, branch, office or any other type of agent or employee that is intentionally located in an EU member state?
1.1. Is there a stable arrangement in place between you and your presence in the EU?
1.2. Would you consider that you conduct effective and real exercise of your activities in the EU through that presence and the relevant arrangements (excluding incidental/isolated/ exceptional cases)?
1.3. Do you conduct personal data processing activities, which relate to the activities of your presence in the EU?
1.4. Is there an inextricable (essential/regular/constant/ continuous) link between your personal data processing activities and (i) the activities of your EU presence; or (ii) revenue raised by your EU presence?
2. Do you process personal data of data subjects in the EU excluding any incidental and/or unintentional processing?
2.1. Do you offer goods or services to persons in the EU by directing and/or targeting them through any means such as marketing activities, advertisements, promotions or ease of use (language preferences, payment/ currency options, delivery options/arrangements etc.)?
2.2. Do you monitor data subjects in the EU through any tracking method including but not limited to cookies, applications, smart devices, wearables or any other similar technology/ tool/device?
2.3. Do you use personal data collected through the foregoing monitoring activities for any subsequent behavioural analysis or profiling purposes?
In light of the foregoing, non-EU data controllers and processors should be aware of the possibility that GDPR might be applicable to all or some of their processing activities; even if they do not have a substantial and/or legal presence in the EU. Considering the reports suggest that retailers from outside the EU generated 45% of the EUR 95 billion cross-border trade (excluding travel) in 2018, GDPR might become an issue for various business operations, as expected2.
Non-compliance with the GDPR in terms of processing activities is subject to fines of up to EUR 20 million and 4% of the annual global turnover (whichever is higher). Moreover, non-EU controllers and processors subject to the GDPR are also required to appoint a representative in the EU to serve as their point of contact with the data protection authorities. Failure to appoint a representative is also subject to fines up to EUR 10 million and 2% of the annual global turnover (whichever is higher).
1 Full English text available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_ consultation_en_1.pdf (last accessed on January 17, 2020)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.