The territorial scope of the GDPR
The territorial scope of the General Data Protection Regulations (the ‘GDPR’ or the ‘regulation’) is determined within Article 3, adopting two main criteria for this purpose; ‘establishment’ and ‘targeting’. Where one of these two criteria is met, all relevant provisions of the GDPR will apply to the relevant processing of personal data performed by the controller or processor concerned.
Controllers or processors established in the EU
It probably comes as no surprise that the GDPR applies to organisations which are established within the EU, if personal data is processed ‘in the context of the activities’ of such an establishment. The fact that this applies regardless of whether the actual processing of the data takes place in the EU or not might, however, be less obvious. According to recital 22, an establishment implies the effective and real exercise of activities – even a minimal one – through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. In some circumstances, the presence of a single employee or agent of a non-EU entity within the Union may be sufficient to constitute a stable arrangement. For example, organisations with EU sales offices who are either selling to or using advertising and marketing that is targeted to EU residents will likely be subject to the regulation.
Organisations situated outside the EU but targeting or monitoring EU data subjects
The GDPR ‘applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.’ According to the European Data Protection Board’s guidelines 3/2018 on the territorial scope of the GDPR (EDPB guidelines), p.17f, the following facts are likely to be considered when determining whether goods or services are offered to (‘targeting’) a data subject in the Union:
The EU or at least one Member State is designated by name with reference to the goods or services offered;
The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
The international nature of the activity at issue, such as certain tourist activities;
The mention of dedicated addresses or phone numbers to be reached from an EU country; –
The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ‘.de’, or the use of neutral top-level domain names such as ‘.eu’;
The description of travel instructions from one or more other EU Member States to the place where the service is provided;
The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
The data controller offers the delivery of goods in EU Member States.
The other kind of activity triggering the application of Article 3(2) is the monitoring of data subject behaviour as far as their behaviour takes place within the Union. This could encompass a broad range of monitoring activities including behavioural advertisement, geo-localisation activities, in particular for marketing purposes, online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalised diet and health analytics services online, CCTV, market surveys as well as other behavioural studies based on individual profiles and monitoring or regular reporting on an individual’s health status (EDPB guidelines, p.20)
Determining whether your business activities fall under the GDPR or not will often be difficult, especially in less obvious cases. There are a number of distinctions and some exceptions to be considered, and consulting legal expertise is often advisable. Further, controllers or processors subject to the GDPR according to article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union, but subject to the GDPR, failing to designate a representative in the Union would therefore be in breach of the regulation. (EDPB guidelines, p.23)
For more information on how you can ensure that you are covered with respect to all of the obligations laid out in the both the GDPR regulations, as well as wider data protection and information security and privacy legislation, get in touch with Peter Friis, the author of this article. Peter provides consultancy in general business law, contracts, litigation and IP Rights to both national and domestic clients and has an extensive knowledge of privacy and data related legislation.
Zacco has been working within IP for over 150 years. If you would like assistance with securing your IP Rights and protecting them from those who would profit from them without your permission then get in touch with one of our experts.