The European Data Protection Board (EDPB) comprising of national data protection authorities, and the European Data Protection Supervisor (EDPS) in its 15th plenary session held during 12th – 13th November 2019 has adopted the final version of Guidelines on the Territorial Scope of the GDPR (“Guidelines”). The Guidelines were first issued in draft form for public consultation in November 2018.
- Extra-Territorial Scope of GDPR:
The significant evolution of GDPR from Data Protection Directive is the expanded territorial scope of GDPR. GDPR not only applies to the processing of personal data in the EU but also outside the member states. The territorial scope of GDPR is dealt under Article 3 which is as follows:
“Article 3: Territorial Scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
A controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data while a processor, is “a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller”.
Application of GDPR
- Establishment Criteria – Article 3 (1)
It is pertinent to note that the term “main establishment” is defined in Article 4(16), whereas the definition of an “establishment” for the purpose of Article 3 is not defined under GDPR. However, the Guidelines point to Recital 22 which states that “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” Establishment extends to any real and effective activity even a minimal one — exercised through stable arrangements.
Accordingly, the Guidelines state that the presence of only one representative can be regarded as a stable arrangement in some cases, if that employee or agent or representative acts with a sufficient degree of stability. However, when an employee or agent or representative is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. Therefore, importance is to be given to the term “in the context of activities” while determining whether the data processor has any establishment in EU or not.
2. Understanding “in the context of the activities of”
For the purpose of “processing in the context of the activities of an establishment of a controller or a processor in the Union” under Article 3(1), the EUDPA held that determining whether processing is being carried out in the context of an establishment of the controller or processor in the Union be carried out on a case-by-case basis and based on an analysis in concreto. EUDPA further provided that a inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment; and revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor.
3. Targeting Criteria – Article 3 (2)
Having no establishment in the EU does not preclude an entity from the ambit of GDPR if the goods and services provided by such non-EU entity are targeted towards EU citizens. The offering of goods and services to EU citizens is not dependent on payment by the data subject in relation to goods and services. Further, monitoring of the behavior of EU citizens within the territory of the EU would attract the provisions of the EU irrespective of the location of the data controller or processor.
In one of the examples, the Guidelines state that “where a marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking would fall within the definition of a data controller, and is therefore subject to the GDPR in respect of the processing of this data for this purpose as per its Article 3(2)(b). In accordance with Article 27, the data controller will have to designate a representative in the Union.”
The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behavior is being monitored, regardless of the duration of the offer made or monitoring undertaken. The monitoring may also include offering video surveillance services, user-specific advertisements.
The Guidelines further clarify that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union. For example, the law is not triggered when a European citizen while in India voluntarily avails the goods and services from an Indian e-commerce website.
4. Application of Public International Law – Article 3 (3)
GDPR is also applicable in the places where any member state law applies by virtue of public international law. As an example, where an Indian owned cruise ship with French flag (French law applies on board a ship with French flag) traveling in international waters processes data of EU citizens on board for the purpose of tailoring the in-cruise entertainment offers would attract the provisions GDPR to its processing of personal data.
All embassies and consulates of EU member states outside the EU would fall within the scope of GDPR. The services offered by such embassies and consulates of EU are within the ambit of GDPR.
Appointment of representative in the EU
Companies without an establishment in EU but offering goods and services to data subjects in the EU or monitoring their behavior as a processor or controller are required to appoint a representative in EU explicitly designated by a written mandate to act on its behalf with regard to its obligations under GDPR.
Further, the Guidelines clarify that where several processing activities of a controller or processor fall within the scope of Article 3(2) GDPR (and none of the exceptions of Article 27(2) GDPR apply), that controller or processor is not expected to designate several representatives for each separate processing activity falling within the scope of article 3(2). So for example, an Indian customer support outsourcing agency processing personal data of European data subjects on behalf of different controllers is not required to designate one representative each for processing on behalf of each such different controller.
Further, entities are not required to appoint a representative in EU when the processing is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or where the processing is by a public authority. The representative, is required to maintain a record of processing activities in accordance with Article 30. Non-appointment of a representative will be subject to administrative fines up to 10,000,000 EUR, or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.