The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.
The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.
Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.
Part 1: Article 3 (1) GDPR and the first criterion: the Establishment criterion
Article 3 (1) GDPR provides that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
It is important to note that Article 3 (1) GDPR refers not only to an establishment of a controller, but also to an establishment of a processor, whereas the previous regime of the EU Data Protection Directive 95/46/EC (Directive 95/46) only referred to the establishment of the controller.
Moreover, some companies tend to forget that, when the establishment criterion applies, the GDPR governs the processing of personal data even when such processing activities take place outside of the EU. Hence, the importance of determining when the establishment criterion applies.
Wide Interpretation of “Establishment in the EU”
The Guidelines rely on the very broad interpretation of an establishment made by the Court of Justice of the European Union in several decisions under Directive 95/46.
The EDPB has a “threefold approach”:
- First, it considers the definition of an “establishment” in the EU within the meaning of EU data protection law.
The GDPR does not provide a definition of establishment, but Recital 22 indicates that “establishment implies the effective and real exercise of activities through stable arrangements”.
In several rulings, the CJEU has adopted a broad interpretation of the term establishment when it applies to data protection[i], “departing from a formalistic approach whereby undertakings are established solely in the place where they are registered”. This means that there can be an establishment within the meaning of data protection law even when there is no registered branch or subsidiary.
As a result, the EDPB stresses in the Guidelines “the threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. In some circumstances, the presence of one single employee or agent of the non-EU entity in the Union may be sufficient.”
In the final version of the Guidelines, however, EDPB recognises that the “mere presence of an employee in the EU is not as such sufficient to trigger the application GDPR, since for the processing in question to fall within the scope GDPR, it must also be carried out in the context of the activities of the EU-based employee”.
Example provided by EDPB : A car manufacturing company with headquarters in the US has a fully-owned branch office located in Brussels overseeing all its operations in Europe, including marketing and advertisement. The Belgian branch can be considered an establishment in the Union, within the meaning of the GDPR.
- Second, it examines what is meant by “processing in the context of the activities of an establishment in the Union”.
As this is provided by Article 3 (1), it is not necessary that the processing in question is carried out “by” the relevant EU establishment itself. This is what makes the assessment particularly difficult. Second, it examines what is meant by “processing in the context of the activities of an establishment in the Union”.
As recommended by EDPB
“Once it is concluded that a controller or processor is established in the EU, an in concreto analysis should then follow to determine whether the processing in question is carried out in the context of the activities of this establishment”. To the effect organisations should seek to identify “potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the Union. If such a link is identified, the nature of this link will be key in determining whether the GDPR applies to the processing in question”.
Two factors may help to determine this on a case-by-case basis:
- If the facts show that there is an “inextricable link” between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment; and
- “Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment””.
Where the activities are inextricably linked, “this triggers the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself”.
In the final version of the Guidelines, however, the EDPB also recognises that “some commercial activity carried out by a non-EU entity within a Member state may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law”.
Example provided by EDPB: An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets.
The activities of the European office in Berlin are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website, insofar as the commercial prospection and marketing campaign towards EU markets notably serve to make the service offered by the e-commerce website profitable. The processing of personal data by the Chinese company in connection with EU sales can, therefore, be considered as carried out in the context of the activities of the European office, as an establishment in the Union.
- Last, it confirms that the GDPR will apply regardless of whether the processing carried out in the context of the activities of this establishment takes place in the Union or not.
Example provided by EDPB : A pharmaceutical company with headquarters in Stockholm has located all its personal data processing activities with regards to its clinical trial data in its branch based in Singapore. While the processing activities are taking place in Singapore, that processing is carried out in the context of the activities of the pharmaceutical company in Stockholm. The provisions of the GDPR therefore apply to such processing.
Establishment of the Controller and of the Processor to Be Considered Separately
The EDPB emphasises that it is important to consider the establishment of the controller and processor separately.
Processing by a Controller Established in the EU Instructing a Processor Not Established in the EU
In such case, the non-EU processor is not subject to the GDPR as a matter of law. However, the EU controller would have to impose GDPR obligations on the non-EU processor by contract (compliant with article 28 GDPR).
Processing on Behalf of a Non-EU Controller by an EU Processor
A non-EU controller, unless other factors are relevant, will not become subject to the GDPR simply because it chooses to use a processor in the EU. However, in this case, the EU processor still has to comply with the GDPR as regards its processing activities.
Moreover, the EDPB insists that, even in this scenario, the EU territory cannot be used as a “data haven”, especially if the processing is to do with inadmissible ethical issues, or breach of EU or national public order rules. This will put all the burden of compliance on the processor.
As regards this particular scenario, there is still an important part that is missing and that creates a risk for the EU processor. The EDPB has provided no further guidance on how such processor will be able to comply with its GDPR obligations relating to international transfers with regard to (i) the relationship with its non-EU controller/client or (ii) the relationship with any sub-processor. The EDPB does, however, acknowledge that further guidance will be required on international transfers.
As a result of the CJEU case, as this case law is reflected in the Guidelines, organisations should carefully assess based on their specific organisation, whether GDPR applies to their processing activities based.
Article 3(2) of the GDPR and the second criterion: Targeting criterion, will be examined in Part 2.
[i] See, in particular, Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12), Weltimmo v NAIH (C-230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15) and Wirtschaftsakademie Schleswig-Holstein (C-210/16).