The extension of its territorial reach is one of the main changes in European data protection law. Provided that certain conditions are fulfilled, also non-EU organisations can be subject to the obligations as set out by the GDPR. The relevant conditions, however, are formulated quite vague and, thus, subject to interpretation. On 23 November 2018, The European Data Protection Board (EDPB) has issued draft guidelines on how these vague terms should be understood (see here). The draft guidelines are open to public consultation, the deadline for submitting comments being 18 January 2019). The main points of the draft guidelines can be summarized as follows:
The "establishment" criterion
As per Article 3(1) GDPR, the GDPR applies to "the processing of personal data in the context of the activities of an establishment of the controller or a processor in the EU, regardless of whether the processing takes place in the EU or not". In this regard, the EDPB recommends a threefold approach (to be made on a case-by-case basis for each relevant data processing activity):
- Establishment in the EU: An establishment implies the effective and real exercise of activities through stable arrangements, regardless of its legal form (e.g. subsidiary, branch, office,…). According to the EDPB, in some circumstances even the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability. Thus, the fact that a non-EU entity responsible for a specific data processing activity does not have a branch or subsidiary in the EU does not preclude it from having an establishment there within the meaning of EU data protection law.
- Processing carried out in the context of activities of an establishment: Even if the local establishment in the EU is not actually taking any role in the non-EU entity 's data processing itself, its activities may be inextricably linked to such data processing activity. According to the EDPB, this might be case if the EU establishment implements commercial prospection and marketing campaigns towards EU markets in order to make the service offered from a non-EU entity (more) profitable.
- Place of processing: In determining the territorial scope of the GDPR, geographical location will be important with regard to the establishment of the data controller or data processor itself, or any business presence of a non-EU controller or processor, but not with regard to the place in which the processing is carried out
Instructing a data processor in the EU will not automatically make a non-EU entity subject to the GDPR. Yet, the EU data processor and the non-EU data controller will have to enter into a data processing agreement. Although the GDPR would not apply to the non-EU entity, the EU data processor would be obliged to conclude such agreement, even with data controllers outside of the EU.
The "targeting" criterion
The absence of an establishment in the EU does not necessarily mean that a data controller or data processor established outside of the EU would be excluded from the scope of the GDPR. The GDPR further provides that it applies to "the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or (b) the monitoring of their behaviour as far as their behaviour takes place within the EU". In this regard the EDPB recommends the following:
- Data subject in the EU: The requirement that the data subject be located in the EU must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken. In addition, the element of "targeting" individuals in the EU (either by offering goods or services to them or by monitoring their behaviour) must always be present. As long as the data processing is not related to a specific offer directed at individuals in the EU or to the monitoring of their behaviour in the EU, the processing of data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR.
- Offering goods or services: First, the EDPB considers that there needs to be a (direct or indirect) connection between the processing activity and the offering of a good or a service. Second, the EDPB confirms that the mere accessibility of a website in the EU, does not, of itself, provide sufficient evidence to demonstrate the controller's or processor's intention to offer goods or services to a data subject located in the EU. The following elements may be taken into account: (i) The EU or at least one Member State is designated by name with reference to the good or service offered; (ii) the data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; (iii) the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience; (iv) the international nature of the activity at issue, such as certain tourist activities; (v) the mention of dedicated addresses or phone numbers to be reached from an EU country; (vi) the use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.at”, or the use of neutral top-level domain names such as “.eu”; (vii) the description of travel instructions from one or more other EU Member States to the place where the service is provided; (viii) mentioning an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers; (ix) the use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; or (x) that delivery of goods in EU Member States is offered.
Designating a representative
Data controllers and data processors established outside of the EU that only fulfil the "targeting" criterion, are under the obligation to designate a representative in the EU. Such representative can be an individual, a commercial entity or a non-commercial entity and must be established in one of the EU Member States where the service or good is offered or where the monitoring takes place. The non-EU entity has a certain degree of leeway in which EU Member State the representative is going to be established, but it has to be kept in mind that the representative must as well be easily accessible for data subjects and supervisory authorities in other EU Member States (where the representative is not established). Thus, in particular, the communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned.
The EDPB considers the function of the representative as incompatible with the role of an external data protection officer. So, according to the EDPB, a designated representative can not at the same time be designated as data protection officer for the same "client".
Further, the EDPB states that in relation to the introduction of the concept of the representative it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against data controllers or data processors. The EDPB then shares the view that this would include the possibility to impose administrative fines and penalties vis-à-vis the representative and to hold the representative directly liable. This, however, does not follow from the GDPR at all. On the contrary, Art 58 GDPR explicitly sets out the only action a supervisory authority may take directly against the representative, i.e. to order the representative to provide any information it requires for the performance of its tasks. All other relevant enforcement powers (including the imposition of fines) are solely directed to data controllers and/or data processors. Same holds for the GDPR's liability regime. Thus, the EDPB's view on the possibility to fine representatives and hold them liable has no basis in the GDPR. It remains to be seen whether this view will be challenged in the public consultation process.