On 12 November 2019 the European Data Protection Board (EDPB) adopted its final guidelines on the territorial scope of the EU General Data Protection Regulation (2016/679) (GDPR).
The EDPB is an independent EU body which aims to ensure the GDPR's consistent application in the European Union. In particular, the EDPB can adopt general guidance (including guidelines, recommendations and best practice) to clarify the terms of EU data protection laws and provide a consistent interpretation of rights and obligations thereunder.
From a territorial perspective, the GDPR can apply to data controllers and processors both inside and outside the European Union.
Article 3 of the GDPR uses two key criteria to determine territorial scope: the 'establishment' criterion and the 'targeting' criterion. In a nutshell, either a data controller or processor is established in the European Union or they are established outside the European Union but target the EU market.
Establishment of controller or processor
Triggering processing activity
Established in the European Union
The processing of personal data in the context of an establishment's activities
Not established in the European Union
The processing of the personal data of data subjects in the European Union where the processing activities relating to the offering of goods or services to such data subjects in the European Union
The processing of the personal data of data subjects in the European Union where the processing activities relating to the monitoring of their behaviour if it takes place in the European Union
A controller or processor is considered to be 'established' in the European Union if it exercises effective and real activities through stable arrangements in the European Union.
The processing of personal data is carried out in the 'context of an establishment's activities' if the activity for which the data is being processed is inextricably linked to the establishment's activities in the European Union, regardless of whether the data processing takes place in the European Union.
The term 'data subjects in the European Union' means any data subjects located in the European Union when the triggering processing activity (eg, the offering of goods or services or monitoring of behaviour) is carried out. This applies regardless of the data subjects nationality or place of residence.
A data controller or processor is considered to be offering goods or services to data subjects in the European Union if they envisage establishing commercial relations with data subjects in one or more EU member states. In particular, the following factors should be taken into account:
- the use of a top-level domain name relating to the European Union or an EU member state (eg, '.de' or '.eu');
- the use of a language or currency of one or more EU member states (eg, the Euro or the Danish krone); and
- offering the delivery of goods to one or more EU member states.
Binding or non-binding?
In principle, the EDPB's guidelines are not binding for companies. Nevertheless, they play an important role in the interpretation of the GDPR by the courts and data protection authorities.
Consequences of non-compliance?
If the GDPR is applied against the expectations of a company, it is unlikely that the company has taken measures to comply with it. In such cases, data protection authorities may impose fines of up to €20 million or 4% of annual turnover under Article 83 and 84 of the GDPR. Further, data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors can send cease and desist letters. Companies may also face indirect costs such as damage of reputation or management costs.
GDPR enforcement levels have been low thus far. However, enforcement is expected to increase in the long term. As the EDPB states in its guidelines, Article 3 of the GDPR reflects the legislature's aim to ensure the comprehensive protection of the rights of data subjects in the European Union and to establish a level playing field for companies acting on the EU market.
There appear to be no examples of non-compliant companies since the GDPR entered into force.
It is vital that data controllers and processors, especially those targeting the EU market, undertake a careful assessment of their processing activities to determine whether the related processing of personal data falls within the GDPR's territorial scope. The following questions can provide guidance on the next steps:
- Does an undertaking have an establishment in the European Union?
- Does it process personal data in the context of its activities in the European Union?
- Does it process personal data relating to data subjects located in the European Union?
- Does it offer goods or services to these data subjects?
- Does it monitor data subjects' behaviour?
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.