On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation.
We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of the GDPR (here), and the second blog post considered the need for non-European Union (EU) controllers to designate a representative located in the EU (here).
The guidelines seek to provide a common interpretation of the GDPR Article 3 for data protection authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the GDPR. The final guidelines maintain the interpretation adopted in the first draft of the guidelines but now include further explanations from the EDPB addressing comments received during the public consultation. Below, we consider some of the EDPB’s new additions in the final version of the guidelines available here.
Processor not established in the EU
Following feedback from the public consultation, EDPB inserted a new guidance section relating to processors not established in the EU.
The guidelines state that in order to determine whether its processing activities may be subject to the GDPR Article 3(2), it is necessary to look at whether the processing activities by the processor ‘are related’ to the targeting activities of the controller. Where the processing activities by a controller relate to the offering of goods or services or to the monitoring of individuals’ behaviour in the EU (targeting), any processor instructed to carry out a processing activity on behalf of the controller will fall within the scope of the GDPR Article 3(2).
The EDPB therefore suggests focusing on the connection between the processing activities carried out by the processor and the targeting activities undertaken by a data controller. If the processing activities by the processor, under the instruction of the controller, are related to the offering of goods or services to the data subjects in the EU, the processing activity by the processor not established in the EU will be subject to the GDPR.
Liabilities of the EU representative
Controllers or processors caught by the GDPR who do not have an EU establishment must designate an EU representative in accordance with Article 27, unless they meet the exemption criteria. Recital 80 of the GDPR states that the representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
In the first draft of the guidelines it was not clear if the EU representatives were liable for the failure of controllers or processors to comply with their GDPR obligations: a supervisory authority could “initiate enforcement against a representative” (emphasis added). This has been amended to read “initiate enforcement through a representative” (emphasis added). This suggests that the Article 27 representative will not be directly liable, but will be a conduit through which supervisory authorities can pursue the controller or processor. The EDPB clarifies that the possibility to hold a representative directly liable is limited to the representatives direct obligations referred to in the GDPR Articles 30 (records of processing) and 58(1) (investigative powers). This encourages local representative services providers to enter the market and may ease the challenge of finding a local representative for companies not based in the EU.
What if an organisation that is established outside the EU and falls within the territorial scope of the GDPR by virtue of Article 3(2) does not appoint an Article 27 representative? Of course, this will be a breach of the GDPR, but how can supervisory authorities commence enforcement proceedings? Article 50 of the GDPR allows for the development of international cooperation mechanisms to facilitate the enforcement of data protection legislation in relation to third countries and international organisations. Thus far, no such mechanisms have been developed. Whilst not providing a substantive update, the EDPB confirms that it is considering the development of international cooperation mechanisms. Keep an eye on this blog for further updates!