EDPB Publishes Final Version of Guidelines on the GDPR's Territorial Scope
6 Minute Read
Categories: European Union, International
At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.
The Guidelines are designed to assist both companies and regulators in assessing whether certain data processing activities are within the scope of the GDPR.
The final version of the Guidelines includes some noteworthy changes to last year’s draft guidelines:
- The EDPB emphasizes that the application of the GDPR should be assessed per data processing activity. The fact that certain data processing activities of an organization fall within the scope of the GDPR does not necessarily mean that all the organization’s data processing activities are subject to the GDPR.
- Regarding the “establishment” criterion used in Article 3(1) of the GDPR, the Guidelines clarify that, although it is a broad concept, there are limitations to it. For example, a single employee in the EU may constitute an “establishment” in the sense of the GDPR, but the presence of an employee in the EU as such does not trigger the application of the GDPR. The GDPR only applies to data processing activities that are related to the activities of the EU-based employee and not to data processing activities that relate to the activities of a controller outside the EU. Furthermore, the mere fact that a non-EU entity has a website accessible to users in the EU is not sufficient to conclude that this entity is established in the EU.
- The final version of the Guidelines also includes important clarifications with respect to the extra-territorial application of the GDPR (i.e., to controllers and processors that are not established in the EU). The EDPB, for example, emphasizes that for data processing activities of a non-EU entity, in relation to offering goods or services in the EU, to become subject to the GDPR these should result from intentionally, rather than inadvertently or incidentally, targeting goods or services to individuals in the EU. On the other hand, data processing that relates to services or products targeted to individuals outside the EU, but that continues when such individuals enter the EU, will not necessarily be subject to the GDPR. Furthermore, a new section was added to the Guidelines that specifically addresses the application of the GDPR to data processors established outside the EU that carry out data processing activities on behalf of non-EU data controllers, which are subject to the GDPR based on Article 3(2). On this point, the EDPB takes the position that both the activities of the processor and the controller should be taken into account when assessing whether the data processing activities carried out by the processor also fall within the extra-territorial scope of the GDPR. This is a broad interpretation, which requires that non-EU processors carrying out data processing activities relating to the offering of goods or services to, or the monitoring of behavior of, individuals in the EU by a controller will be subject to the GDPR when carrying out these processing activities. Therefore, if the processor’s data processing activities are connected to the controller’s activities targeted to individuals in the EU, the processor’s data processing activities will be subject to the GDPR. The EDPB, for example, indicates that a U.S. cloud provider will be subject to the GDPR when it provides data storage services to a U.S. health and lifestyle app developer that monitors the behavior of app users in the EU. This is somewhat surprising given that the EDPB has taken a different view when it comes to the application of the establishment criterion under Article 3(1) of the GDPR to controllers and processors. In the latter case, the EDPB indicates in the Guidelines that the data processing by each entity must be considered separately and that the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both if one of these two entities is not established in the EU. Following the EDPB’s interpretation set out in the Guidelines, non-EU processors carrying out data processing activities subject to the GDPR on the basis of Article 3(2) because they relate to an offering of goods or services to, or monitoring behavior of individuals in the EU by a controller are directly subject to the GDPR. On the other hand, non-EU processors carrying out data processing activities subject to the GDPR, because they take place in the context of the activities of a controller’s establishment in the EU, only become indirectly subject to some obligations of the GDPR imposed by virtue of contractual arrangements under Article 28 and the provisions of Chapter V of the GDPR.
- The EDPB also added a specific section on the interaction between the territorial scope components of the GDPR and (1) other provisions of the GDPR, and (2) third country national laws to which non-EU entities falling within the extraterritorial scope of the GDPR are subject in their own country. With respect to the other provisions of the GDPR, the Guidelines unfortunately do not provide any further guidance on the interplay between the extraterritorial scope of the GDPR and the provisions of Chapter V of the GDPR on international data transfers. The EDPB indicated that it will assess this issue and may adopt further guidance if necessary. On the second point, the Guidelines clarify that non-EU entities, whose data processing activities fall both within the scope of the GDPR based on Article 3(2) and the national (data protection) laws of the third country where they are established, will need to comply with their obligations under both applicable legislative regimes.
- With respect to the role of the EU representative that companies not established in the EU are required to appoint under Article 27 of the GDPR, the final version of the Guidelines clarifies that one representative can be appointed for several data processing activities of a non-EU entity that fall within the scope of the GDPR. However, the EDPB states that the role of a non-EU controller’s or processor’s representative is not compatible with the duties and tasks of a data protection officer and those roles cannot be combined. With respect to the EU representative’s liability, the EDPB clarifies that the direct liability of the representative is limited to the latter’s direct obligations under the GDPR, such as the obligation to maintain a record of data processing activities under the responsibility of the controller or processor.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code