The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic.
Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). Under Article 3, the GDPR applies to the processing of personal data which meets the “establishment” test (Article 3(1)), or, failing that, meets the “targeting” test (Article 3(2))[i].
The GDPR applies to the processing of personal data by a controller or processor established in the EU in the context of activities of that establishment, regardless of whether the processing itself takes place in the EU. “Establishment” is not defined in the GDPR, but the Guidance refers to pre-GDPR case law to assist with its interpretation.
The meaning of “established in the EU” was considered by the Court of Justice of the European Union (CJEU) in Weltimmo[ii] and Google v Costeja (Google Spain)[iii]. In Google Spain, the CJEU confirmed that an organisation may be “established” if it exercises “any effective and real exercise of activity” through “stable arrangements” in the EU[iv] and found that Google Inc. was established in the EU as its processing of personal data was “inextricably linked to” and carried out “in the context of … activities” of its subsidiary in Spain. In Weltimmo, the CJEU confirmed that “establishment” does not depend on legal form and that a minimal but stable and effective presence would suffice. Therefore, the CJEU found that Weltimmo, a company incorporated in Slovakia that had collected personal data in Hungary through the use of a Hungarian-language website and had a representative in Hungary, was established in Hungary.
The Guidance confirms that these broad interpretations remain good law. Accordingly, to determine whether an organisation has an establishment in the EU, both the degree of stability of the arrangements and the effective exercise of activities in the EU must be considered.
The second aspect of the establishment test requires an analysis of whether or not the processing is carried out “in the context of the activities of [the EU establishment]”. In this regard, the Guidance is less informative. It refers, once again, to whether or not activities are inextricably linked (as per Google Spain) and states that non-EU organisations must assess whether there are potential links, and if so, the nature of such links, between their EU establishments and any processing activities (i.e., a fact-based test with limited parameters).
Finally, the EDPB confirms that “geographical location is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question”. Therefore, the GDPR will apply to processing in the context of an EU establishment regardless of whether the processing itself takes place in the EU or where the data subjects themselves are located, and irrespective of their nationality or place of residence.
While the Guidance vis-à-vis Article 3(1) will not provide the clarity that many hoped for; it does provide some helpful clarifications for service providers and their customers on both sides of the Atlantic. For instance, the Guidance makes clear that:
- Controllers without an EU establishment are not caught by the Article 3(1) test merely by virtue of using a third party processor established in the EU.
- Processors without an EU establishment that process personal data on behalf of third party controllers established in the EU are not subject to the GDPR merely by virtue of this relationship.
The GDPR also applies to the processing of personal data by a controller or processor that is not established in the EU if the processing activities are related to the offering of goods or services to, or monitoring the behaviour of, data subjects in the EU. Regarding Article 3(2), the Guidance considers whether the processing is in respect of data subjects in the EU, and if so (a) whether there is or has been an offering of goods or services to such data subjects, or (b) whether there is or has been monitoring of the behaviour of such data subjects.
The EDPB confirms that the “in the EU” test does not require citizenship or residence in the EU. Rather, Article 3(2) will apply whenever the data subject is located in the EU when the relevant trigger activity — i.e., either (a) or (b) takes place — irrespective of the data subject’s nationality or place of residence.
Offering Goods and Services
To assess whether or not a controller or processor is “offering goods or services” to a data subject, the EDPB lists a number of factors which might be relevant, including: the international nature of the activity; the mention of dedicated EU contact details relevant to the services; the use of EU currency or language; the delivery of goods to EU Member States; and/or the use of EU top-level domain names. While these factors, coupled with the specific examples in the Guidance, are helpful, they add little to the already comprehensive list of relevant factors noted in Recital 23 of the GDPR. Therefore, controllers and processors not established in the EU still need to carry out a fairly subjective test to assess whether or not their activities amount to the offering of goods and services to data subjects in the EU.
According to the Guidance, to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the EU and, as a cumulative criterion, the monitored behaviour must take place within the EU. Tracking a person on the internet (i.e., across more than one website) classifies as monitoring. The Guidance clarifies that tracking through other types of network or technology involving personal data processing (e.g., via wearable and other smart devices) should also be taken into account for the monitoring determination.
Implications of the Targeting Test
Controllers or processors caught by the GDPR by virtue of targeting (who therefore do not have an EU establishment) must designate an EU representative in accordance with Article 27 (unless they meet the exemption criteria). The Guidance does not provide much elucidation on these criteria other than to note that the Guidelines on Data Protection Officers by the Article 29 Working Party (WP29) apply equally to an assessment for an EU representative.
The EDPB confirms both that the EU representative on its own does not constitute an establishment and that controllers and processors not established in the EU cannot benefit from the one-stop shop mechanism in Article 56. This is consistent with the approach in the WP29’s Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority but leaves controllers without an EU establishment none the wiser as to how to engage with supervisory authorities and to which authority they should notify the identity of their data protection officer, if any. This could leave many “global” operators in the unenviable position of having to engage with supervisory authorities in every EU member state. Companies in this position may want to consider whether creating an establishment in the EU, and thus bringing themselves within the one-stop shop mechanism, would be preferable.
The EDPB provides additional guidance for controllers and processors that are appointing a representative, as reflected below.
Putting the Guidance Into Practice
Key takeaways for controllers and processors include:
With potential EU establishment: Consider the degree of stability of establishment arrangements, and review the level of control exercised over such arrangements, to determine whether or not that control amounts to an establishment within the meaning of Article 3(1).
With definite EU establishment: Meet GDPR obligations in respect of all personal data that is processed in the context of this establishment, and not simply the personal data of EU data subjects.
Without EU establishment: Review EU footprint and ensure ability to engage with supervisory authorities in each of the EU Member States in which they are active.
Offering goods and services: Consider the factors listed in the Guidance (as noted above) together with those listed in Recital 23 of the GDPR.
Designating EU representatives: When entering into service contracts with representatives, the contracts should at a minimum, identify a “lead contact” for each controller/processor they are representing. The service contracts should mandate that the representative maintain a record of processing that triggers the application of the GDPR, cooperate with competent supervisory authorities, facilitate exchanges with the supervisory authority and controller/ processor, and communicate with data subjects.
Controllers established in the EU that engage processors without an EU establishment should:
- Ensure the adequacy of such processors and consider the Article 28(1) and Chapter V (Export) obligations.
- Implement Data Processing Agreements (DPAs), meeting all Article 28(3) requirements.
According to the EDPB, processors established in the EU that provide services to controllers to which the GDPR does not apply should implement DPAs (which should cover the Article 28(2) and 28(3) requirements save only for the need to assist the controller with its own GDPR obligations).
EU representatives, which can be held liable for any breaches of the GDPR by their controller/processor, should:
- Be located where the data subjects are located, rather than where the processing takes place.
- Be someone other than the person/entity performing the role of the Data Protection Officer.
[i] Under Article 3(3), the GDPR also applies where personal data is processed by virtue of public international law, but this is not considered further here.
[ii] Weltimmo s.r.O v Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14).
[iii] Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12).
[iv] This mirrors the language now set forth in Recital 22 of the GDPR.