EDPB – Guidelines on the Territorial Scope of the GDPR (Art. 3) and on Representatives (Art. 27) – Now adopted after public consultation
The European Data Protection Board (“EDPB”) has published the adopted version of its guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”). The guidelines were first published in November 2018 for public consultation. After completion of the public consultation process, the guidelines had been updated and thereafter adopted as final guidelines by the EDPB in November 2019. Unfortunately, the guidelines leave several questions relating to the territorial scope unanswered, especially when it comes to non-EU processors.
The EDPB makes clear that Art. 3 of the GDPR is aimed at determining whether a particular processing activity, rather than an entity or person, is within the scope of the GDPR. Therefore, for controllers and processors located outside of the EU, some of the controller’s or processor’s processing activities may be within the scope of the GDPR, whilst others are not.
I. “Establishment” Criterion – Art. 3(1)
The EDPB confirms that “establishment” requires both a degree of stability of the arrangement, and the effective exercise of activities in the EU and clarifies other questions around “establishment”:
- A “stable arrangement” in the EU can be fulfilled even if just a single employee or agent acts with a sufficient degree of stability. However, the mere fact that an employee resides in the EU and works for a non-EU company does not automatically result in an “establishment” being created (see example 15 of the guidelines) as there must also be processing of personal data carried out in the context of activities of the EU-based employee.
- In addition to an “establishment” in the EU, there must be a link between the activity the data is being processed for and activities of the establishment in the EU. The nature of any such link is key in determining whether the GDPR applies under Art. 3(1), as such link must be “inextricable.” One key aspect for an “inextricable link” may be the raising of revenue in the EU.
- Having a website accessible in the EU is not, by itself, sufficient to create an “establishment” in the EU.
- If a controller is subject to the GDPR pursuant to Art. 3(1) GDPR, then the GDPR can also apply to and protect non-EU data subjects.
- A controller subject to the GDPR pursuant to Art. 3(1) GDPR cannot avoid the application of the GDPR by instructing a non-EU processor to carry out the processing activity. However, it is unclear from the guidelines whether the GDPR would then also be directly applicable to the non-EU processor.
Processors located within the EU are not considered an establishment of a non-EU controller under Art. 3(1) GDPR:
- If a controller outside of the EU uses a processor located in the EU, the processor is not an “establishment” of the controller and this fact is not, by itself, sufficient for the GDPR to apply directly to the controller. This is relevant to non-EU data controllers which outsource data processing to the EU.
- However, a processor located in the EU is subject to the processor requirements of the GDPR in relation to its processing activities, including the requirements for international data transfers under Art. 44 et seq. GDPR. Hence, the processor must put in place appropriate safeguards (e.g. EU Model Clauses) to transfer the personal data back to the non-EU controller. Processors will have difficulties to comply with this requirement as no “Processor to Controller” EU Model Clauses currently exist. Further, limiting the services to controllers which are either in a country with an adequacy decision, or are Privacy Shield certified, is not an option from a business perspective. The EU Commission should adopt EU Model Clauses for this scenario urgently.
II. Offering Goods/ Services and Monitoring Behavior – “Targeting” Criterion under Art. 3(2)
The guidelines clarify that “targeting” is required under both – Art. 3(2)(a) – Offering Goods or Services and Art. 3(2)(b) – Monitoring Behavior. Although the guidelines specifically mention the criterion of “targeting” individuals in the EU only in respect to the offering of goods or services, the EDPB considers targeting to be an integral part of “monitoring”. In the absence of targeting, mere processing of personal data of individuals in the EU is not, by itself, sufficient for the GDPR to apply under Art. 3(2).
The EDPB confirmed that Art. 3(2) GDPR requires the individual to be in the EU – citizenship or residence in the EU is irrelevant. Whether an individual is in the EU must be assessed at the time when the activity (e.g. the offer or monitoring) takes place.
The EDPB thus recommends a twofold approach to determine whether the processing relates to: (a) data subjects in the EU; and (b) offering goods or services or to monitoring data subject’s behavior in the EU in a targeted manner as follows:
1. The “Targeting Criterion”
To determine whether the “Targeting” criterion is fulfilled, the guidelines provide various factors which have been adopted from European consumer protection law and which, in combination, may amount to targeting data subjects in the EU. These include, inter alia: (a) paying a search engine to provide a referencing service to facilitate access to its site by consumers in the EU, or launching marketing and advertisement campaigns directed at an EU country; (b) the international nature of the activity, such as certain tourist activities; (c) use of language/currency other than that generally used in the trader’s country, especially the language/currency of one or more EU Member States; and (d) offering the delivery of goods in EU Member States. The guidelines note that the mere accessibility of a website in the Union is not sufficient to amount to targeting.
2. The Offering of Goods/Services – Art. 3(2)(a)
The offering of services also includes the offering of “information society services”, which are defined as “any information society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of the services”.
Those include, but are not limited to, websites, apps and other online services. The goods or services must be offered to a data subject, i.e. to an individual. In the employment context, a non-EU company with employees working remotely from, and residing in, an EU Member State does not offer services to such EU-based employees by making salary payments, hence the non-EU company with EU-based employees is not subject to the GDPR as per Art. 3 GDPR (see example 15 of the guidelines) for those processing activities.
The guidelines state that offering goods or services to individuals in the EU requires intentionally, rather than inadvertently or incidentally, targeting individuals in the EU. The GDPR would not apply if the processing relates to a service only offered to individuals outside of the EU, but the service is still accessible to individuals when they enter the EU (e.g. on holiday/visiting the EU) (see example 8 of the guidelines).
3. Monitoring Behavior – Art. 3(2)(b) GDPR
The guidelines state that although the recitals to the GDPR mention monitoring in relation to tracking behavior on the internet, tracking through other technologies or networks involving personal data processing should also be taken into account when deciding whether the processing amounts to “monitoring behavior” and provides examples such as wearable and smart devices.
The guidelines clarify that the term “monitoring” in this context requires a specific purpose for the collection and reuse of the relevant data about the individual’s behavior in the EU. Sensibly, the EDPB confirms that online collection or analysis of personal data of individuals in the EU does not automatically amount to “monitoring” for the purposes of Art. 3(2) of the GDPR. The purpose of the processing and any subsequent behavioral analysis or profiling in relation to that personal data is relevant.
Processors outside the EU
The guidelines state that to determine whether a processor located outside of the EU is subject to the GDPR under Art 3(2), it is necessary to determine whether the processing by the processor is “related” to the targeting activities of a controller outside of the EU. This assessment involves examining the connection between the processing carried out by the processor and the targeting activity undertaken by the controller. In the EDPB’s view, where the processing by a controller outside of the EU relates to offering goods/services or monitoring the behavior of individuals in the EU (“targeting”), if a processor is instructed to carry out such processing activities, the processor will be within the scope of the GDPR in respect of that processing activity. It appears that the EDPB wants to apply the GDPR to a service provider who offers a tool or software to a business customer (legal entity) for purposes of enabling the business customer to offer goods/services via the tool to end-users in the EU (or to monitor end-users in the EU), even though it is not the service provider but the business customer that is ultimately offering the goods/services to (and/or carries out the monitoring of) individuals.
The guidelines expressly require controllers or processors outside of the EU and subject to the GDPR pursuant to Art. 3(2) to appoint a representative under Art. 27. It follows that controllers or processors subject to the GDPR under Art. 3(1) are not required to appoint a representative. The EDPB also confirms that the appointment of a representative does not result in an “establishment”, and thus does not trigger the application of the GDPR through Art. 3(1). In addition, where several processing activities of a controller or processor are subject to the GDPR under Art. 3(2), the controller is not required to designate a separate representative for each separate processing activity.
Furthermore, the guidelines state that being a representative under Art. 27 is not compatible with the role of an external DPO under the GDPR, because (a) the DPO may not receive any instructions regarding the exercise of his/her tasks and must be independent, whereas the representative is subject to a mandate and thus to instructions; and (b) the combination of both roles might result in a conflict of interest.
In terms of enforcement action against representatives, although the EDPB acknowledges that the controller or processor subject to the GDPR is primarily liable for any enforcement action, the intention is to enable enforcement (including fines) against a representative in the same manner as against a controller or processor. However, the representative is only directly liable for its direct obligations under Art. (30) (record of processing) and Art 58(1)(a) (co-operating with requests from Supervisory Authorities).
Despite the guidelines providing certain clarity, there are areas where clarification or guidance would have been useful. For example:
- It is not clear from the guidelines how controllers and processors located outside of the EU and subject to the GDPR pursuant to Art. 3(2) should comply in practice with the international data transfer restrictions under Chapter V of the GDPR, in particular whether those controllers and processors need to put in place appropriate safeguards, given the fact that they are already subject to the GDPR and its data protection standards. The EDPB states it will further assess this issue and that additional guidance may be produced, if necessary.
- Scenarios where a non-EU parent entity receives personal data of employees of an EU affiliate raise the issue (i) whether the EU affiliate qualifies in this context as an “establishment” of the non-EU parent entity; and/or (ii) whether the offering of benefits to EU employees by the non-EU parent entity triggers the GDPR under Art. 3 (2)(a).
- The EDPB’s broad territorial application of the GDPR to non-EU processors pursuant to Art. 3(2) seems to be limited to scenarios where the controller is located outside of the EU and subject to the GDPR pursuant to Art. 3(2). However, it is unclear whether the EDPB’s broad territorial application of the GDPR to non-EU processors pursuant to Art. 3(2) shall also be triggered if the controller is located within the EU and subject to the GDPR pursuant to Art. 3(1).
- Regarding the appointment of representatives, the guidelines do not clarify whether the term “represent” means that the representative must receive a power of attorney to represent the controller or processor. If one is required, it is unclear how far reaching the power of attorney of the representative must be. If one is not required, it is unclear whether this means that the representative acts as a “communicating messenger” only. One interpretation (in particular for tax reasons) would be that it is not necessary that the representative has (full) power of attorney, e.g. to legally bind the non-EU company.