In November 2019 the European Data Protection Board (EDPB) published its finalised Guidelines1 on the territorial scope of the EU General Data Protection Regulation (GDPR)2.
he GDPR can apply to organisations across the world. Given that penalties for breach of the GDPR can amount to fines of up to 4% turnover or 20 million Euros, whichever is the greater, and criminal penalties at local level for individuals including for directors in some jurisdictions, it is important for all organisations and personnel who process personal data to understand their obligations.
Organisations with any connection to or business in the European Economic Area (EEA) should review the guidance and/or take advice and and carry out an analysis of their processing of personal data and take action accordingly. The Guidelines can be accessed here.
- The application of the GDPR should be assessed on a case by case basis for each data processing activity (the UK ICO has interpreted “processing activity” broadly, for example human resources functions, marketing activity, etc.).
- The fact that certain data processing activities of an organisation fall within the scope of the GDPR does not necessarily mean that all of that organisation’s data processing activities are subject to the GDPR.
- Whilst ‘establishment’ is a broad concept, there are limitations to it. A single employee or agent in the EEA may constitute an ‘establishment’ which triggers the application of the GDPR. But the mere presence of an employee or agent in the EEA will not trigger application of the GDPR unless the processing of personal data relates to activities of the EEA-based employee or agent.
- For organisations not established in the EEA, the guidance clarifies the process for designating a representative in the EEA, explains the representative’s responsibilities and obligations, and adds that local supervisory authorities may enforce against non-EEA organisations “through” their representatives.
- After Brexit and any transition period, organisations not established in the UK but which “target” individuals in the UK (by offering them goods or services or monitoring them in the UK) will need to appoint a representative in the UK.
Territorial scope: establishment vs targeting
The Guidance clarifies that there are two essential criteria set out in Article 3 of the GDPR: the ‘establishment’ criterion and the ‘targeting’ criterion. Where one of these applies, the GDPR will apply to the processing in question:
The GDPR is not triggered by the nationality of the individuals concerned, although the location of the individuals is relevant if the targeting criterion applies.
- Establishment criterion: The GDPR applies to the processing of personal data in the context of the activities of an establishment of an organisation (whether controller or processor) in the EEA , or in a place where EEA Member State law applies by virtue of public international law, regardless of where the processing itself takes place; and/or
- Targeting criterion: The GDPR applies to the processing of personal data by an organisation not established in the EEA, but which:
- Offers goods or services to individuals located in the EEA; and/or
- Monitors the behaviour of individuals located in the EEA.
The GDPR does not define ‘establishment’. However, there is extensive case law on the subject, which pre-dates the GDPR. The Guidance draws on previous case law and emphasises that ‘establishment’ requires a “stable arrangement” in the EEA. This is a low hurdle. However, a non-EEA entity will not have an establishment in the EEA merely because its website is accessible in the EEA.
In the context of the activities of the EEA establishment
On processing “in the context of the activities of” the EEA establishment, organisations should consider: (i) the relationship between an organisation outside of the EEA and its local establishment in the EEA; and (ii) revenue generated in the EEA.
Non-EEA organisations should assess their processing activities, first by checking whether personal data are being processed, and secondly by identifying potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the EEA. The nature of any link between the activity and the EEA presence is key in determining whether the GDPR applies to the processing in question. The processing need not be carried out by the organisation itself, and can take place outside of the EEA.
Controllers and processors
The GDPR applies to both controllers and processors. The Guidance clarifies that the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to either entity, if it is not established in the EEA.
The targeting criterion and organisations not ‘established’ in the EEA
An organisation not established in the EEA cannot benefit from the ‘one-stop shop’ mechanism provided for in Article 56 of the GDPR (whereby one ‘lead supervisory authority’ will enforce against it, rather than separate supervisory authorities in each EEA Member State).
For the ‘targeting’ criterion, the Guidance stresses that:
- the GDPR can apply to some processing activities but not others: it is essential to consider the processing activities in question; and
- the GDPR will not apply merely because an organisation is processing personal data of an individual in the EEA: the element of “targeting” individuals in the EEA, either by offering goods or services to them or by monitoring their behaviour must always be present as well.
Offering goods or services
The concept of “offering of goods or services” includes the offering of ‘information society services’,3 and other services which are not for payment.
The Guidance lists a number of factors which could indicate targeting of individuals in the EEA. For example, if the description of the good or service mentions an EEA country, or the nature of the activity is international (eg. certain tourist activities), or where marketing and advertisement campaigns are directed at an EEA country audience. The fact that a website is accessible from the EEA does not by itself constitute ‘targeting’ individuals located in the EEA.
For the monitoring element of the targeting criterion to apply there is no need to show intention to target the individuals. However, ‘monitoring’ implies a specific purpose for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EEA. The controller’s purpose is key, as is any subsequent behavioural analysis or profiling techniques involving that data.
The Guidance specifically mentions the following activities as relevant ‘monitoring activities’:
- Behavioural advertisement (tracking);
- Geo-localisation activities, in particular for marketing purposes;
- Personalised diet and health analytics services online;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
Processors not established in the EEA carrying out targeting activities
Decisions on how and why personal data will be processed can only be made by controllers. However, a processor may actively take part in processing activities related to carrying out targeting. In such circumstances, the processor will have its own obligations under the GDPR (for example to keep the personal data secure).
Processing in a place where Member State Law applies by virtue of Public International Law
The Guidance gives some specific examples of situations in which the GDPR applies outside of the EEA:
Appointment of representatives in the EEA
The Guidance points out that, where the targeting criterion applies, the organisation must appoint a ‘representative’ within the EEA, unless an exemption applies, ie if the processing is: (i) occasional; (ii) does not involve large scale processing of special category personal data or criminal records data; and (iii) is unlikely to result in a risk to the individuals concerned in the circumstances. Appointments must be by a “written mandate”, eg. a service contract. A representative can be a natural or a legal person, and must be itself established within the EEA (in the same location as relevant data subjects). One representative can act on behalf of multiple controllers and processors.
Following the UK’s proposed exit from the EU (and EEA) and any transition agreement non-UK organisations established in the UK or targeting the UK will need to appoint a representative in the UK in addition to any representative in the EEA.
Responsibilities of the representative
The Guidance says that the representative is not itself responsible for complying with data subjects’ rights, but must facilitate compliance with such rights. It must also maintain the controller or processor’s records of processing, and liaise with supervisory authorities and provide information on behalf of its principal.
The Guidance makes clear that the representative will not be liable for breaches of the controller or processor it represents. But local supervisory authorities may “initiate enforcement proceedings through” it, including by “address[ing] corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative”.
If they have not already done so, organisations should:
- Carry out a data audit, checking what personal data they process, why and in what context;
- Consider whether the organisation is ‘established’ in the EEA (or the UK), and if not, whether the targeting criterion applies (ie. whether the organisation offer goods or services to or monitor individuals located in the EEA (or the UK));
- If an organisation is not established in the EEA (or the UK) but the targeting criterion applies, appoint a representative in the EEA (or the UK).