In general, the territorial scope of the General Data Protection Regulation (“GDPR”) is determined by reference to the location of the controller or processor of personal data (the “establishment criterion”), or for business not established in the EU, the location of the relevant data subjects (the “targeting criterion”). However, as the applicability of the GDPR in either case is driven by the factual circumstances in which the processing takes place, the GDPR’s reach must be determined on a case-by-case basis. This means that its scope and application can be difficult to delineate, particularly in the context of cross-border financial arrangements. This has resulted in considerable confusion, including among some organisations operating in the funds industry due to its cross-border nature and the scale of international outsourcing that is involved.
Against that backdrop, new draft guidelines on the territorial scope of the GDPR (the “Guidelines”) that were published recently by the European Data Protection Board (“EDPB”) for public consultation offer welcome clarity to investment funds and their service providers in identifying whether they are subject to the GDPR’s requirements. While the Guidelines essentially explain applicable sections of the GDPR and relevant case law and therefore do not contain any significant surprises, they will help debunk myths and misunderstandings that have arisen regarding the scope of the GDPR.
Article 3(1) of the GDPR provides that:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
“Establishment” is a broad concept which is not clearly defined in the GDPR. The Guidelines state that the country of registration of a controller or processor is not determinative, and any stable arrangements in the EU (including, in certain circumstances, the presence of a single employee or agent in the EU) can be sufficient to conclude that an entity has an EU establishment. This means that investment funds or financial vehicles that are tax resident in the EU would almost certainly be considered to be ‘established’ in the EU for GDPR purposes, regardless of their country of incorporation. In addition, the Guidelines confirm that the location of the processing is irrelevant; any processing carried out “in the context of” the EU establishment will be subject to the GDPR.
It is also worth noting that, according to the Guidelines, the fact that a non-EU controller has a processor in the EU does not amount to the controller having an establishment in the EU. Consequently, where a non-EU incorporated fund appoints a service provider within the EU, this should not automatically bring the fund within the scope of the GDPR. The EU-based service provider is, however, likely to be obliged to comply with the provisions of the GDPR applicable to processors.
The Guidelines also helpfully confirm that the EDPB is of the view that where personal data is being processed in the context of the activities of an establishment in the EU, the GDPR will apply irrespective of the location or nationality of the data subjects. For example, a fund that is ‘established’ in the EU but deals with personal data relating to US residents only will be subject to the GDPR in relation to their data (even though they are US residents rather than EU residents). Similarly, an EU based service provider to a non-EU fund that processes personal data on behalf of that non-EU fund in the context of its establishment in the EU will be subject to the GDPR in relation to its processing (even if the fund itself is not subject to the GDPR and even if the personal data relates to non-EU residents only). This may help resolve misunderstandings that the GDPR applies for the benefit of EU citizens only.
Article 3(2) of the GDPR provides that:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The Guidelines set out factors that may be useful to a fund or service provider in determining whether it is offering goods or services to data subjects in the EU. For example, if a fund launches a marketing or advertising campaign directed at retail investors in the EU, or if ‘Europe’ or the name of an EU Member State is included in the name of a fund, these factors may tend to indicate that the fund is targeting data subjects in the EU. Mere accessibility of goods or services to individuals in the EU will not necessarily mean that goods or services are being ‘offered’ to those individuals. The Guidelines also emphasise that for the purpose of Article 3(2) the residence, nationality and citizenship of the ‘targeted’ data subjects are not determining factors, it is whether they are located in the EU that is the key criterion.
The Guidelines also give examples of types of activities that would amount to monitoring the behaviour of data subjects. These examples, which include behavioural advertising and the monitoring of an individual’s health status, are unlikely to be relevant to the activities of funds. It should be kept in mind, however, that other types of monitoring, such as monitoring financial behaviour for anti-money laundering purposes, might still bring a fund within the scope of Article 3(2)(b).
The Guidelines are not legally binding, but offer useful guidance and examples for funds and their service providers seeking to identify whether they are subject to the GDPR. For those that are, this is just the first of many steps involved in ensuring and monitoring compliance with the GDPR regime.