datenrecht.ch

EDSA: Draft gui­de­lines 3/2018 on the ter­ri­to­ri­al scope of the GDPR published

The Euro­pean Data Pro­tec­tion Board (EDSA; the for­mer Artic­le 29 Working Par­ty) published the long-awai­ted draft gui­de­lines on the ter­ri­to­ri­al scope of the GDPR on Novem­ber 23, 2018 (Gui­de­lines 3/2018 on the ter­ri­to­ri­al scope of the GDPR (Artic­le 3) – ver­si­on for public con­sul­ta­ti­on; for the time being only in English).

Over­all assessment

The EDSA paper does not under­stand the spa­ti­al scope as broad­ly as was to be feared. For exam­p­le, the EDSA states,

  • that the non-Euro­pean con­trol­ler is not cover­ed by the GDPR sim­ply becau­se it uses a Euro­pean processor;
  • That hiring employees and pro­ce­s­sing data as part of the employment rela­ti­on­ship does not con­sti­tu­te bid tar­ge­ting and typi­cal­ly does not con­sti­tu­te beha­vi­oral monitoring;
  • that beha­vi­oral obser­va­ti­on pre­sup­po­ses the inten­ti­on to use the coll­ec­ted data in a cer­tain way, which must pro­ba­b­ly be com­pa­ra­ble to pro­fil­ing in its intensity.

The EDSA is appar­ent­ly try­ing to strike a balan­ce bet­ween pro­tec­ting data sub­jects in the EEA on the one hand and under­mi­ning the requi­re­ments of Art. 3 GDPR on the other, and it seems that the GDPR is inten­ded to app­ly pri­ma­ri­ly to typi­cal cases. Howe­ver, many que­sti­ons remain open, which pro­ba­b­ly has to do with the fact that a first ver­si­on of the paper was dis­cus­sed again and that some expl­ana­ti­ons and refe­ren­ces may have been dele­ted in the pro­cess. It is unclear, for exam­p­le, whe­ther gene­ral inter­na­tio­nal offers (i.e. offers with an inter­na­tio­nal ori­en­ta­ti­on but wit­hout a spe­ci­fic refe­rence to the EEA) are also cover­ed and whe­ther offers to exi­sting cus­to­mers can also con­sti­tu­te an ori­en­ta­ti­on. We will have to wait and see the case law here.

The paper is now open for public com­ment befo­re a final ver­si­on is approved.

Art. 3 GDPR

The ter­ri­to­ri­al scope of appli­ca­ti­on of the GDPR is regu­la­ted in Art. 3:

(1. This Regu­la­ti­on shall app­ly to the pro­ce­s­sing of per­so­nal data inso­far as they are within the scope of the acti­vi­ties of a branch office of a con­trol­ler or pro­ces­sor takes place in the Uni­on, regard­less of whe­ther the pro­ce­s­sing takes place in the Union.

(2. This Regu­la­ti­on shall app­ly to the pro­ce­s­sing of per­so­nal data of per­sons con­cer­ned who are in the Uni­on, by a con­trol­ler or pro­ces­sor not estab­lished in the Uni­on, if the data pro­ce­s­sing takes place in the Con­text thus stands

a) data sub­jects in the Uni­on Offer goods or ser­vices, regard­less of whe­ther a payment is to be made by the­se affec­ted persons;

b) the Obser­ve beha­vi­or of affec­ted per­sonsas far as their beha­vi­or in the Uni­on takes place.

(3. This Regu­la­ti­on shall app­ly to the pro­ce­s­sing of per­so­nal data by a con­trol­ler not estab­lished in the Uni­on in a place which is on the basis of inter­na­tio­nal law is sub­ject to the law of a Mem­ber State.

On the prin­ci­ple of establishment

Con­cept of establishment

The­re are few sur­pri­ses regar­ding the defi­ni­ti­on of “estab­lish­ment” within the mea­ning of Art. 3(1) GDPR. The EDSA refers here to Reci­tal 22 and the case law of the ECJ, in par­ti­cu­lar the World Immo Decis­i­onin which the ECJ defi­ned the con­cept of estab­lish­ment as a func­tion­al and very wide has under­s­tood. The decisi­ve fac­tors are the sta­bi­li­ty (“degree of sta­bi­li­ty”) of the struc­tu­re being con­side­red as a branch and the actu­al acti­vi­ty in the EEA ter­ri­to­ry. In extre­me cases, the pre­sence of a sin­gle employee or repre­sen­ta­ti­ve on the ter­ri­to­ry of the EEA may be suf­fi­ci­ent, pro­vi­ded that this employee or repre­sen­ta­ti­ve acts “with a suf­fi­ci­ent degree of sta­bi­li­ty”. An acci­den­tal, flee­ting or other­wi­se non-per­ma­nent stay should the­r­e­fo­re not be suf­fi­ci­ent. The EDSA cites as an exam­p­le an ope­ra­tio­nal branch with office pre­mi­ses; here the cri­te­ria of sta­bi­li­ty and effec­ti­ve exer­cise of an acti­vi­ty are met. A sub­si­dia­ry is also mentioned.

In con­trast, a pro­ces­sor is not an estab­lish­ment of the con­trol­ler sole­ly by vir­tue of the con­trac­tu­al rela­ti­on­ship. Nor does the con­trol­ler pro­cess per­so­nal data “in con­nec­tion with the processor’s estab­lish­ment” in the EEA. A non-Euro­pean respon­si­ble the­r­e­fo­re falls does not fall within the scope of the GDPR mere­ly becau­se it uses a pro­ces­sor estab­lished in the EEA. Howe­ver, the Euro­pean pro­ces­sor is of cour­se cover­ed by the GDPR for its part.

Pro­ce­s­sing “in con­nec­tion” with the establishment

Accor­ding to Art. 3(1), the GDPR only applies to data pro­ce­s­sing that is “rela­ted” to the acti­vi­ties of the estab­lish­ment. A non-Euro­pean com­pa­ny is the­r­e­fo­re not always cover­ed by the GDPR with all pro­ce­s­sing acti­vi­ties just becau­se it has an estab­lish­ment in the EEA. Howe­ver, the EDSA also inter­prets this requi­re­ment broad­ly. It is not neces­sa­ry that the branch its­elf par­ti­ci­pa­tes in the data pro­ce­s­sing acti­vi­ty in que­sti­on of the con­trol­ler or pro­ces­sor out­side the EEA. Rather, it is suf­fi­ci­ent – here the EDSA refers to the decis­i­on of the ECJ i.S. Goog­le Spain – that the acti­vi­ty of the branch office and the data pro­ce­s­sing in the spe­ci­fic indi­vi­du­al case are as inex­tri­ca­bly lin­ked (“inex­tri­ca­bly lin­ked”). Such a link may exist, for exam­p­le, if an estab­lish­ment is deter­mi­ned to be so by its acti­vi­ties, Gene­ra­te sales for the non-Euro­pean main com­pa­ny (e.g., in the case of a sales office in the EEA), even if this branch its­elf does not par­ti­ci­pa­te in the data pro­ce­s­sing. The EDSA thus also con­firms the Goog­le Spain decis­i­on. An exam­p­le is a Chi­ne­se web store who­se Ger­man branch mana­ges the store’s Euro­pean adver­ti­sing activities.

It does not mat­ter whe­ther this invol­ves pro­ce­s­sing per­so­nal data of indi­vi­du­als in the EEA or whe­re the pro­ce­s­sing takes place. A French com­pa­ny who­se mobi­le app is available exclu­si­ve­ly in North Afri­ca is the­r­e­fo­re sub­ject to the GDPR, as is a Swe­dish com­pa­ny respon­si­ble for data pro­ce­s­sing that takes place in Sin­ga­po­re. Con­ver­se­ly, the non-Euro­pean pro­ces­sor of a Euro­pean pro­ces­sor is not sub­ject to the GDPR, but must be inclu­ded accor­ding to Art. 28 (3) GDPR – and if appli­ca­ble Art. 44 et seq. GDPR – must be con­trac­tual­ly integrated.

Offer ori­en­ta­ti­on

In the absence of an estab­lish­ment in the EEA or if the pro­ce­s­sing in que­sti­on does not have a suf­fi­ci­ent con­nec­tion with such an estab­lish­ment, the ali­gnment of the offer within the mea­ning of Art. 3(2)(a) may trig­ger the appli­ca­ti­on of the GDPR. The EDSA does not ela­bo­ra­te on what is meant by “goods or ser­vices”. Howe­ver, it cla­ri­fi­es that the Pro­ce­s­sing of employee data by a com­pa­ny not estab­lished in the EEA does not fall under Art. 3(2)(a) GDPR, even if the employees of the non-Euro­pean com­pa­ny are resi­dent in an EEA state:

In this case, […] the pro­ce­s­sing […] does not takes place in the con­text of an offer of goods or ser­vices. Inde­ed human resour­ces manage­ment, inclu­ding sala­ry payment by a third-coun­try com­pa­ny can­not be con­side­red as an offer of ser­vice within the mea­ning of Art 3(2)a. The pro­ce­s­sing at sta­ke does not rela­te to the offer of goods or ser­vices to data sub­jects in the Uni­on (nor to the moni­to­ring of beha­vi­or) and, as a con­se­quence, is not sub­ject to the pro­vi­si­ons of the GDPR, as per Artic­le 3.

An offer is then only cover­ed if the­re is an obvious inten­ti­on to offer goods or ser­vices to per­sons in the EEA. This requi­res objec­ti­ve Cir­cum­stan­ti­al evi­dence For this pur­po­se, the EDSA refers to reci­tal 23 and the case law of the Euro­pean Court of Justi­ce, espe­ci­al­ly the Decis­i­on Alpen­hofThe EDSA cites the fol­lo­wing indi­ca­ti­ons, which – depen­ding on the cir­cum­stances, eit­her indi­vi­du­al­ly or in com­bi­na­ti­on – may be indi­ca­ti­ve of sup­p­ly alignment:

  • The expli­cit indi­ca­ti­on of a Mem­ber Sta­te in con­nec­tion with an offer;
  • Expen­dit­u­re on pla­cing an offer in the results of a search engi­ne to tar­get peo­p­le in the EEA;
  • adver­ti­sing cam­paigns aimed at the EU;
  • the inter­na­tio­nal natu­re of an offer, e.g. cer­tain tou­rist activities;
  • the pro­vi­si­on of own addres­ses or tele­pho­ne num­bers for cont­act from the EEA;
  • the use of, from the provider’s point of view, for­eign top-level domains such as “.de” or “.eu”;
  • the indi­ca­ti­on of a rou­te from the EEA to the place of performance;
  • the indi­ca­ti­on of inter­na­tio­nal cli­ente­le from EEA count­ries (“The men­ti­on of an inter­na­tio­nal cli­ente­le com­po­sed of cus­to­mers domic­i­led in various EU Member
    Sta­tes, in par­ti­cu­lar by pre­sen­ta­ti­on of accounts writ­ten by such cus­to­mers”);
  • the use of a lan­guage or cur­ren­cy that is for­eign from the provider’s point of view, espe­ci­al­ly a lan­guage or cur­ren­cy that is com­mon­ly used in one or more EEA countries;
  • the offer of deli­very to an EEA State.

Not suf­fi­ci­ent would be, for exam­p­le, the offer of a uni­ver­si­ty (the EDSA cites the exam­p­le of a uni­ver­si­ty in Zurich) that offers master’s cour­ses and requi­res suf­fi­ci­ent know­ledge of Ger­man and Eng­lish for this:

A Swiss Uni­ver­si­ty in Zurich is laun­ching its Master degree sel­ec­tion pro­cess, by making available an online plat­form whe­re can­di­da­tes can upload their CV and cover let­ter, tog­e­ther with their cont­act details. The sel­ec­tion pro­cess is open to any stu­dent with a suf­fi­ci­ent level of Ger­man and Eng­lish and hol­ding a Bache­lor degree. The Uni­ver­si­ty does not spe­ci­fi­cal­ly adver­ti­se to stu­dents in EU Uni­ver­si­ties, and only takes payment in Swiss currency.

As the­re is no distinc­tion or spe­ci­fi­ca­ti­on for stu­dents from the Uni­on in the appli­ca­ti­on and sel­ec­tion pro­cess for this Master degree, it can­not be estab­lished that the Swiss Uni­ver­si­ty has the inten­ti­on to tar­get stu­dents from a par­ti­cu­lar EU mem­ber sta­tes. The suf­fi­ci­ent level of Ger­man and Eng­lish is a gene­ral requi­re­ment that applies to any appli­cant whe­ther a Swiss resi­dent, a per­son in the Uni­on or a stu­dent from a third coun­try. Wit­hout other fac­tors to indi­ca­te the spe­ci­fic tar­ge­ting of stu­dents in EU mem­ber sta­tes, it the­r­e­fo­re can­not be estab­lished that the pro­ce­s­sing in que­sti­on rela­tes to the offer of an edu­ca­ti­on ser­vice to data sub­jects in the Uni­on, and such pro­ce­s­sing will the­r­e­fo­re not be sub­ject to the GDPR provisions.

In this con­text, the data sub­jects to whom the offer is direc­ted must be phy­si­cal­ly pre­sent in the EEA, name­ly at the time the offer is made:

The requi­re­ment that the data sub­ject be loca­ted in the Uni­on must be asses­sed at the moment when the rele­vant trig­ger acti­vi­ty takes place, i.e. at the moment of offe­ring of goods or ser­vices or the moment when the beha­vi­or is being moni­to­red, regard­less of the dura­ti­on of the offer made or moni­to­ring undertaken.

Then, in the case of an offer ori­en­ta­ti­on, all data pro­ce­s­sing that has a con­nec­tion with the offer falls under the GDPR. Accor­ding to the EDSA, an “indi­rect” con­nec­tion is also suf­fi­ci­ent, but this is not explai­ned in more detail.

Over­all, the impres­si­on is that the EDSA gene­ral-inter­na­tio­nal offers i.e. offers that are direc­ted at an inter­na­tio­nal audi­ence, but wit­hout a spe­cial refe­rence to the ter­ri­to­ry of the EEA (e.g. a web­site in Eng­lish and with a .com domain). The EDSA does not sta­te this so cle­ar­ly; howe­ver, it men­ti­ons the fol­lo­wing as an indi­ca­ti­on for the ori­en­ta­ti­on of the offer “The men­ti­on of an inter­na­tio­nal cli­ente­le com­po­sed of cus­to­mers domic­i­led in various EU Mem­berSta­tes.” The exam­p­le of the uni­ver­si­ty also points to this understanding.

Beha­vi­oral observation

Fur­ther­mo­re, a con­trol­ler or pro­ces­sor wit­hout an estab­lish­ment in the EEA may also be cover­ed by the GDPR if it moni­tors the con­duct of data sub­jects in the EEA. The EDSA first notes that despi­te Reci­tal 24. not only beha­vi­or “on the Inter­net” recor­ded but also track­ing in other ways:

While Reci­tal 24 exclu­si­ve­ly rela­tes to the moni­to­ring of a beha­vi­or through the track­ing of a per­son on the inter­net, the EDPB con­siders that track­ing through other types of net­work or tech­no­lo­gy invol­ving per­so­nal data pro­ce­s­sing should also be taken into account in deter­mi­ning whe­ther a pro­ce­s­sing acti­vi­ty amounts to a beha­vi­oral moni­to­ring, for exam­p­le through weara­ble and other smart devices.

Howe­ver, in doing so, EDSA is con­cer­ned with ope­ra­ti­ons in the vici­ni­ty of a Track­ing or profiling:

As oppo­sed to the pro­vi­si­on of Artic­le 3(2)(a), neither Artic­le 3(2)(b) nor Reci­tal 24 intro­du­ce a neces­sa­ry degree of “inten­ti­on to tar­get” on the part of the data con­trol­ler or pro­ces­sor to deter­mi­ne whe­ther the moni­to­ring acti­vi­ty would trig­ger the appli­ca­ti­on of the GDPR to the pro­ce­s­sing acti­vi­ties. Howe­ver, the use of the word “moni­to­ring” implies that the con­trol­ler has a spe­ci­fic pur­po­se in mind for the coll­ec­tion and sub­se­quent reu­se of the rele­vant data about an individual’s beha­viour within the EU. The EDPB does not con­sider that any online coll­ec­tion or ana­ly­sis of per­so­nal data of indi­vi­du­als in the EU would auto­ma­ti­cal­ly count as “moni­to­ring”. It will be neces­sa­ry to con­sider the controller’s pur­po­se for pro­ce­s­sing the data and, in par­ti­cu­lar, any sub­se­quent beha­viou­ral ana­ly­sis or pro­fil­ing tech­ni­ques invol­ving that data. The EDPB takes into account the wor­ding of Reci­tal 24, which indi­ca­tes that to deter­mi­ne whe­ther pro­ce­s­sing invol­ves moni­to­ring of a data subject’s beha­vi­or, the track­ing of natu­ral per­sons on the Inter­net, inclu­ding the poten­ti­al sub­se­quent use of pro­fil­ing tech­ni­ques, is a key consideration.

EDSA then pro­vi­des the fol­lo­wing examp­les whe­re beha­vi­oral obser­va­ti­on is possible:

  • per­so­na­li­zed advertising;
  • Geo­lo­ca­ti­on, espe­ci­al­ly for mar­ke­ting purposes;
  • Online track­ing via coo­kies or simi­lar tech­no­lo­gies such as fingerprinting;
  • per­so­na­li­zed nut­ri­tio­nal advice and health ana­ly­sis online;
  • Video sur­veil­lan­ce;
  • Mar­ket rese­arch and other beha­vi­oral ana­ly­sis based on indi­vi­du­al profiles;
  • Moni­to­ring or regu­lar report­ing of health status.

The EDSA by no means cla­ri­fi­es all open que­sti­ons. Howe­ver, it at least remo­ves the ground for the wide­spread view that the use of coo­kies, for exam­p­le, leads per se to beha­vi­oral moni­to­ring. Rather, what is requi­red is

  1. the coll­ec­tion of Data from per­sons in the EEA about their also Con­duct occur­ring in the EEA,
  2. with the Intent,
  3. to coll­ect the­se data in order to cer­tain, plan­ned way fur­ther use that rea­ches a cer­tain inten­si­ty, in par­ti­cu­lar profiling.

To the EU representative

The EDSA also comm­ents on the EU repre­sen­ta­ti­ve and sta­tes, among other things, the following:

  • The repre­sen­ta­ti­ve is not a branch of the respon­si­ble party.
  • The repre­sen­ta­ti­ve may be a natu­ral per­son or a legal enti­ty estab­lished in the EEA, e.g. a law firm, a con­sul­tant, a pri­va­te com­pa­ny, etc. In the case of legal enti­ties, it is recom­men­ded to desi­gna­te a cont­act per­son, e.g. in the con­tract with the representative.
  • The repre­sen­ta­ti­ve must be estab­lished in a sta­te whe­re the data sub­jects of the rele­vant acti­vi­ty are loca­ted (offerees/observed per­sons) (Art. 27(3) GDPR). If this applies to seve­ral sta­tes, but the majo­ri­ty of data sub­jects resi­de in a sin­gle sta­te, the EDSA recom­mends that the repre­sen­ta­ti­ve should be appoin­ted in that sta­te. Howe­ver, he or she must be easi­ly acce­s­si­ble for data subjects.
  • A repre­sen­ta­ti­ve can repre­sent seve­ral com­pa­nies. Howe­ver, he or she can­not simul­ta­neous­ly per­form the func­tion of a data pro­tec­tion offi­cer (DPO) for the same company.
  • The representative’s task is to faci­li­ta­te com­mu­ni­ca­ti­on bet­ween the non-Euro­pean com­pa­ny and the per­sons con­cer­ned or the aut­ho­ri­ties. He must the­r­e­fo­re be able to com­mu­ni­ca­te effec­tively with them, which requi­res, among other things, appro­pria­te lan­guage skills.

More points

EDSA con­ti­nues to hold:

  • For com­pa­nies wit­hout an estab­lish­ment in the EEA, the one-stop mecha­nism under Art. 56 GDPR is not applicable.
  • If the GDPR is appli­ca­ble, it is in prin­ci­ple appli­ca­ble as a who­le, i.e. all pro­vi­si­ons (and not, for exam­p­le, only the prin­ci­ples of pro­ce­s­sing) apply;
  • Com­pa­nies out­side the EEA must com­ply with the law of the Mem­ber Sta­tes, which may pro­vi­de for their own con­flict-of-law rules.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be