On November 14, 2019, the EDPB adopted a final version of Guidelines 3/2018 on the territorial scope of the GDPR (Art. 3). This takes into account the contributions and feedback that the EDPB received during a public consultation on a draft version of the guidelines (see here).

The draft version of the guidelines raised many questions, which the final version aims to address by clarifying that:

  1. Article 3 determines whether the GDPR applies to a processing activity (e., purpose for processing personal data) and not whether a controller or processor is subject to the GDPR.
  2. The mere presence of an employee in the EU does not suffice to trigger the application of the GDPR; in order for the processing activity to be covered by the GDPR, it must be carried out in the context of the activities of the EU-based employee.
  3. A processing activity will not fall outside the scope of Art. 3(1) simply because the controller in the EU instructs a non-EU processor to carry out the processing.
  4. The inadvertent or incidental offering of goods or services to individuals in the EU (g., to non-EU individuals travelling in the EU) does not trigger the application of the GDPR.
  5. The provision of certain targeted advertisement to individuals in the EU, for example, on the basis of their location, triggers the application of the GDPR because it qualifies as monitoring the behavior of individuals in the EU (Art. 3(2)(b)).
  6. A non-EU processor that targets or monitors the behavior of EU individuals on behalf of a controller (g., carries out a social media campaign targeting individuals in the EU or stores data of an app offered to individuals in the EU), must comply with the GDPR with regard to that processing.
  7. Where requested by the Supervisory Authority, the GDPR representative (Art. 27) must be able to produce a copy of the record of processing operations.
  8. The GDPR representative can only be held directly liable for violations of its own obligations, such as under Art. 30 and 58(1)(a) (record of processing operations and cooperation with Supervisory Authorities) and not for violations committed by the non-EU controller or processor.
  9. The GDPR representative of a non-EU controller apparently cannot be a processor of that controller. The EDPB does not explain why this is. Given the limited direct liability of the representative, it is unclear why a processor could not be the liaison of a controller and the “addressee” of corrective measures imposed on the controller.

The EDPB will increase international cooperation in order to facilitate enforcement against controllers and processors established in third countries and against international organizations (Art. 50).