EDPB: Defi­ni­ti­ve ver­si­on of the gui­de­lines on the scope of the GDPR

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

,

Topics

,
Take-Aways (AI)
  • EDPB adopts final gui­de­lines on Art. 3 GDPR on the ter­ri­to­ri­al scope.
  • Offer tar­ge­ting only con­cerns deli­be­ra­te, inten­tio­nal tar­ge­ting of per­sons in the EU, not purely inci­den­tal services.
  • GDPR may app­ly to pro­ces­sors out­side the EU if the controller’s acti­vi­ty trig­gers its application.
  • EU repre­sen­ta­ti­ve is not lia­ble in lieu of the respon­si­ble par­ty; lia­bi­li­ty limi­t­ed to breach of own obligations.

The Euro­pean Data Pro­tec­tion Board (EDSA or EDPB in Eng­lish) has issued its opi­ni­on on the inter­na­tio­nal scope of the GDPR fol­lo­wing a public con­sul­ta­ti­on (in which we par­ti­ci­pa­ted have par­ti­ci­pa­ted) was adopted in a defi­ni­ti­ve ver­si­on (Gui­de­lines 3/2018 on the ter­ri­to­ri­al scope of the GDPR (Artic­le 3)). In lar­ge parts, the defi­ni­ti­ve ver­si­on cor­re­sponds to the draft ver­si­on (cf. Del­ta­view).

Howe­ver, the fol­lo­wing points are worth noting:

Offer ori­en­ta­ti­on

In con­nec­tion with the ori­en­ta­ti­on of the offer within the mea­ning of Art. 3(2)(a) of the GDPR, the EDPB sta­tes, in a slight­ly rest­ric­ti­ve or more pre­cise man­ner, that it is only about con­scious ali­gnment goes (“the pro­vi­si­on is aimed at acti­vi­ties that inten­tio­nal­ly, rather than inad­ver­t­ent­ly or inci­den­tal­ly, tar­get indi­vi­du­als in the EU”)..

This would exclude the appli­ca­ti­on of the GDPR, for exam­p­le, if a con­ti­nuous ser­vice is pro­vi­ded to per­sons out­side the EU and this ser­vice is sub­se­quent­ly also pro­vi­ded within the EU: “In this case the pro­ce­s­sing is not rela­ted to the inten­tio­nal tar­ge­ting of indi­vi­du­als in the EU but rela­tes to the tar­ge­ting of indi­vi­du­als out­side the EU which will con­ti­n­ue whe­ther they remain out­side the EU or whe­ther they visit the Union.”

Beha­vi­oral observation

In this con­text, the­re is an inte­re­st­ing, fur­ther sec­tion on the Appli­ca­ti­on of the GDPR to the Pro­ces­sor with its regi­stered office out­side the EU. The EPDB takes a posi­ti­on here on the wor­ding of Art. 3(2) GDPR, which is unclear in its mea­ning, accor­ding to which the GDPR applies to the con­trol­ler under the con­di­ti­ons of Art. 3(2)(a) and (b). or the pro­ces­sor find application.

Here, the EDPB makes it clear – more or less – that the Appli­ca­bi­li­ty of the GDPR to the Pro­ces­sor from the acti­vi­ty of the Con­trol­ler If an acti­vi­ty of the con­trol­ler falls within the scope of the GDPR and the con­trol­ler invol­ves a pro­ces­sor in the pro­cess, then the pro­ces­sor can this Pro­ces­sor also fall under the GDPR. The start­ing point is the Acti­vi­ty of the respon­si­ble per­sonThe Pro­ces­sor can only make the cor­re­spon­ding decis­i­on (which, con­ver­se­ly, pro­ba­b­ly also means that this decis­i­on estab­lishes the Con­trol­ler pro­per­ty). From the Processor’s point of view, the que­sti­on the­r­e­fo­re ari­ses as to which is its Con­nec­tion to the cor­re­spon­ding acti­vi­ty of the con­trol­ler is. An acti­vi­ty such as data sto­rage shall be suf­fi­ci­ent (see the new exam­p­le 20). It is the­r­e­fo­re not neces­sa­ry (but of cour­se also suf­fi­ci­ent) for the con­trol­ler to be spe­ci­fi­cal­ly invol­ved in the acti­vi­ty that trig­gers the appli­ca­ti­on of the GDPR.

To the EU representative

The Gui­de­lines con­tain some cla­ri­fi­ca­ti­ons on the EU repre­sen­ta­ti­ve, for exam­p­le in rela­ti­on to the pro­ce­s­sing list. Also wel­co­me is the cla­ri­fi­ca­ti­on that the repre­sen­ta­ti­ve shall is not lia­ble as a sub­sti­tu­te for the respon­si­ble per­son (“The GDPR does not estab­lish a sub­sti­tu­ti­ve lia­bi­li­ty of the repre­sen­ta­ti­ve in place of the con­trol­ler or pro­ces­sor it repres­ents in the Uni­on.”). Rather, the repre­sen­ta­ti­ve hims­elf is lia­ble only for vio­la­ti­ons of his own duties.