During its 15th plenary session (November 12-13, 2019), the European Data Protection Board (EDPB) adopted the final version of the territorial guidelines, which were submitted for public consultation on November 16, 2018. The guidelines provide clarification on the application of EU Regulation 2016/679 as well as a number of examples to clarify the range of application of the same Regulation with reference to Article 3.1 (establishment criterion) and Article 3.2 (targeting criterion), or the application of Article 3.3 (processing in a place where member state law applies by virtue of public international law).

Art. 3 GDPR and general remarks

The European Data Protection Board (EDPB) has recently published the definitive guidelines for the correct reading and interpretation of Art. 3 Reg. EU 679/2019 (better known as “GDPR”), which defines the territorial scope of the Regulation according to two main criteria: the establishment criterion and the targeting criterion and it extends the Regulation’s applicability to the processing of personal data carried out by a data controller who is not established in the European Union, but in a place under the law of a Member State pursuant to public international law.

This important rule reflects the legislator’s intention to ensure full protection of data subjects’ rights in the EU and to establish a level playing field for companies operating on EU markets, in a context of data flows that is now constantly taking place worldwide. However, it has raised a number of interpretative doubts that the recent guidelines aim to solve, representing an essential vademecum for all companies operating outside the European Union area and who need to understand whether or not their activity falls within the scope of the GDPR.

The 28-page document published by the EDPB, currently available in English only, is detailed and includes a number of practical examples to make it easier to understand.

The EDPB Guidelines

1 – Application of the establishment criterion to controller and processor

Referring to the first criterion, Article 3(1) of the GDPR states that “the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

In sostanza, affinché sia applicabile il regolamento, è sufficiente la presenza in territorio dell’Unione, per mezzo di uno stabilimento, di un titolare o di un responsabile e il fatto che il trattamento avvenga nel contesto delle attività di quello stabilimento, indipendentemente dal luogo o dalla nazionalità dell’interessato i cui dati personali sono trattati

Essentially, for the Regulation to be applicable, it is sufficient that: a) a controller or a processor is located in the Union through an establishment; b) the processing take place in the context of the activities of that establishment, regardless of the place or nationality of the data subject whose personal data are being processed. It should be pointed out that, for the purposes of recital 22, an establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

The EDPB guidelines make it clear that the definition of ‘permanent establishment’ must be understood in a broad sense, especially in cases involving the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union, acting with a sufficient degree of stability, may be sufficient to constitute a stable arrangement. Conversely, the mere presence of an employee in the EU when the processing is not being carried out within the employee’s activities will not mean that the processing falls within the scope of the GDPR.

In order to determine whether the processing is carried out by a controller or a processor within its establishment in the Union, it is necessary to analyse on a case-by-case basis, even if the guidelines provide some criteria to be taken into account such as the relationship between a controller or a processor outside the Union, its local establishment in the Union and the revenues raising within the European Union.

The existence of a relationship between the controller and the processor does not necessarily imply the application of the GDPR to both, if one of these two entities is not established in the Union. Where a data controller subject to the GDPR chooses to use a processor located outside the EU for a processing activity, it will still be necessary for the data controller to ensure, by contract or other legal act pursuant to Art. 28 GDPR, that the data controller processes the data in accordance with the GDPR. The processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements.

In the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR, the EDPB considers that the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR (Article 3.2) merely because they are processed on its behalf by a processor established in the Union. However, even though the data controller is not established in the Union and is not subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1).

2 – The criterion of physical and geographical location of the interested parties

Paragraph 2 of art. 3 GDPR establishes that the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The guidelines consider the location of the concerned person a crucial factor in order to assess whether the data subjects are in the EU, contrary to the nationality or the legal status, since, as specified in Recital 14, the protection conferred by the Regulation should apply to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data.

The location requirement must be assessed when the activity takes place, for instance at the time of the offering of goods or services or the monitoring of their behaviour, regardless of the duration of the offer made or of the monitoring carried out.

It should also be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, provided that the processing is not linked to a specific offer addressed to individuals in the EU or a monitoring of their behaviour in the Union.

In order to assess the supply of goods or services, which also includes information society services, it must be taken into account the application of the targeting criterion, regardless of whether a payment is requested by the interested party.

In order to determine whether or not the processing involves the monitoring of the behaviour of a data subject, the guidelines consider as a fundamental criterion the monitoring of the natural persons on Internet, including the potential subsequent use of profiling techniques. This activity may include a wide range of control activities, such as behavioural advertising, geolocation activities, in particular for marketing purposes, online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalized services of analysis of diets and online health, video surveillance, market researches and other behavioural studies based on individual profiles and monitoring or periodic reports on an individual’s health.

3- The Application of the Regulation in a place where the law of the Member States applies under international law

Article 3 paragraph 3 of the GDPR establishes the applicability of the Regulation also to the processing of personal data carried out by a data controller not established in the Union, but in a place where Member State law applies by the virtue of public international law

According to the guidelines, the GDPR therefore applies to the processing of personal data carried out by embassies and consulates of EU Member States located outside the EU

4 – The Obligation to nominate a representative

In regard to the obligation for data controllers or processors to appoint a representative in the Union, except for the exceptions established by the Regulation, first of all the guidelines clarify that the presence of the representative in the Union does not constitute an “establishment” and that the function representative in the Union  is not compatible with the role of an external data protection officer (DPO), who must carry out his/her task with a sufficient degree of autonomy within his/her organization, nor with the role of data controller for the same data controller. The guidelines also recall that, in accordance with Article 13, paragraph 1, letter a) and Article 14, paragraph 1, letter a) in the context of their information obligations, the data controllers must provide the data subjects information on the identity of their representative in the Union.