EDPB Provides Clarity and Raises New Questions with Publication of Final Guidelines on the Territorial Scope of the GDPR
Following an extensive public consultation, the European Data Protection Board (“EDPB”) has published a final version of its guidelines on the territorial scope of the GDPR (“Guidelines”). This comes almost one year since the draft guidelines were originally published. Please read this blog together with our previous blog on the draft guidelines, as this blog addresses only the key differences between the draft guidelines and the Guidelines.
Establishment Test (Article 3(1), GDPR) – states that the GDPR applies to processing in the context of an establishment of a controller or processor in the EU
- The mere presence of an employee in the EU processing personal data relating only to the activities of a non-EU controller outside of the EU will not automatically bring the non-EU controller within scope of the GDPR. Instead, the relevant processing activities must be carried out in the context of the activities of the EU-based employee (i.e., in the context of the EU establishment). Organisations should assess this on a case by case basis.
Targeting Test (Article 3(2), GDPR) – states that the GDPR applies to controllers and processors established outside of the EU where the processing activities relate to (i) the offering of goods/services to individuals in the EU, or (ii) the monitoring of the behaviour of individuals in the EU.
- Processing activities of non-EU based processor will be subject to the GDPR where these activities ‘relate’ to the targeting by a non-EU based controller of individuals in the EU. This represents a significant change from the draft guidelines and indicates the EDPB is taking a broad view of the extraterritorial reach of the GDPR, even with respect to, for example, passive processing services such as, the operation of a virtual data room. In particular, the Guidelines provide that where the processing activities of a controller concern the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EU, non-EU based processors contractually required to carry out such targeting on behalf of the controller, will fall within scope of the GDPR, with respect to the specific processing activity. For example, a U.S. organisation offering wellbeing services including, to individuals in the EU, monitors the behaviour of individuals in the EU via a health app. The U.S. organisation engages a cloud provider in the U.S. to host the app. In turn, the hosting of the health data of individuals in the EU by the U.S. cloud provider is “related to” the targeted offer of services by the U.S. controller and therefore, the specific processing activity falls within the scope of the GDPR.
- The GDPR applies to the specific processing activities undertaken by a non-EU organisation as opposed to the non-EU organisation as a whole. In turn, certain processing activities undertaken by the non-EU organisation may be subject to the GDPR whilst others may not. This is the case also for non-EU organisations subject to the GDPR by virtue of the Establishment Test (i.e., Article 3(1), GDPR).
- The offer of goods or services to individuals in the EU must be intentional, rather than inadvertent or incidental. For example, where a Japanese company offers subscription services exclusively to Japanese residents, but the service is not withdrawn when the individuals enter the EU e.g., for work or leisure purposes, the Japanese company would not become subject to the GDPR by virtue of the ongoing offering of the service.
The EU Data Protection Representative (Article 27, GDPR)
- The EU data protection representative (“DPR”) should not also be the organisation’s data protection officer. Nor should the DPR role be fulfilled by a third party engaged in processing activities as a processor for an on behalf of the non-EU organisation.
- According to the Guidelines, the concept of a DPR was introduced with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controller or processors that fall under Article 3(2) of the GDPR. In turn, enforcement proceedings can be initiated “through” the DPR – as opposed to “against” the DPR as was the wording in the draft guidelines.
- The DPR is liable only for breaches of obligations directly imposed on the DPR under the GDPR i.e., the obligation to maintain the data processing record and to respond to information requests from the supervisory authorities. The appointment of a DPR in turn, does not affect the liability or responsibility under the GDPR of the non-EU organisation.