The European Data Protection Board (EDSA; the former Article 29 Working Party) published the long-awaited draft guidelines on the territorial scope of the GDPR on November 23, 2018 (Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – version for public consultation; for the time being only in English).
Overall assessment
The EDSA paper does not understand the spatial scope as broadly as was to be feared. For example, the EDSA states,
- that the non-European controller is not covered by the GDPR simply because it uses a European processor;
- That hiring employees and processing data as part of the employment relationship does not constitute bid targeting and typically does not constitute behavioral monitoring;
- that behavioral observation presupposes the intention to use the collected data in a certain way, which must probably be comparable to profiling in its intensity.
The EDSA is apparently trying to strike a balance between protecting data subjects in the EEA on the one hand and undermining the requirements of Art. 3 GDPR on the other, and it seems that the GDPR is intended to apply primarily to typical cases. However, many questions remain open, which probably has to do with the fact that a first version of the paper was discussed again and that some explanations and references may have been deleted in the process. It is unclear, for example, whether general international offers (i.e. offers with an international orientation but without a specific reference to the EEA) are also covered and whether offers to existing customers can also constitute an orientation. We will have to wait and see the case law here.
The paper is now open for public comment before a final version is approved.
Art. 3 GDPR
The territorial scope of application of the GDPR is regulated in Art. 3:
(1. This Regulation shall apply to the processing of personal data insofar as they are within the scope of the activities of a branch office of a controller or processor takes place in the Union, regardless of whether the processing takes place in the Union.
(2. This Regulation shall apply to the processing of personal data of persons concerned who are in the Union, by a controller or processor not established in the Union, if the data processing takes place in the Context thus stands
a) data subjects in the Union Offer goods or services, regardless of whether a payment is to be made by these affected persons;
b) the Observe behavior of affected personsas far as their behavior in the Union takes place.
(3. This Regulation shall apply to the processing of personal data by a controller not established in the Union in a place which is on the basis of international law is subject to the law of a Member State.
On the principle of establishment
Concept of establishment
There are few surprises regarding the definition of “establishment” within the meaning of Art. 3(1) GDPR. The EDSA refers here to Recital 22 and the case law of the ECJ, in particular the World Immo Decisionin which the ECJ defined the concept of establishment as a functional and very wide has understood. The decisive factors are the stability (“degree of stability”) of the structure being considered as a branch and the actual activity in the EEA territory. In extreme cases, the presence of a single employee or representative on the territory of the EEA may be sufficient, provided that this employee or representative acts “with a sufficient degree of stability”. An accidental, fleeting or otherwise non-permanent stay should therefore not be sufficient. The EDSA cites as an example an operational branch with office premises; here the criteria of stability and effective exercise of an activity are met. A subsidiary is also mentioned.
In contrast, a processor is not an establishment of the controller solely by virtue of the contractual relationship. Nor does the controller process personal data “in connection with the processor’s establishment” in the EEA. A non-European responsible therefore falls does not fall within the scope of the GDPR merely because it uses a processor established in the EEA. However, the European processor is of course covered by the GDPR for its part.
Processing “in connection” with the establishment
According to Art. 3(1), the GDPR only applies to data processing that is “related” to the activities of the establishment. A non-European company is therefore not always covered by the GDPR with all processing activities just because it has an establishment in the EEA. However, the EDSA also interprets this requirement broadly. It is not necessary that the branch itself participates in the data processing activity in question of the controller or processor outside the EEA. Rather, it is sufficient – here the EDSA refers to the decision of the ECJ i.S. Google Spain – that the activity of the branch office and the data processing in the specific individual case are as inextricably linked (“inextricably linked”). Such a link may exist, for example, if an establishment is determined to be so by its activities, Generate sales for the non-European main company (e.g., in the case of a sales office in the EEA), even if this branch itself does not participate in the data processing. The EDSA thus also confirms the Google Spain decision. An example is a Chinese web store whose German branch manages the store’s European advertising activities.
It does not matter whether this involves processing personal data of individuals in the EEA or where the processing takes place. A French company whose mobile app is available exclusively in North Africa is therefore subject to the GDPR, as is a Swedish company responsible for data processing that takes place in Singapore. Conversely, the non-European processor of a European processor is not subject to the GDPR, but must be included according to Art. 28 (3) GDPR – and if applicable Art. 44 et seq. GDPR – must be contractually integrated.
Offer orientation
In the absence of an establishment in the EEA or if the processing in question does not have a sufficient connection with such an establishment, the alignment of the offer within the meaning of Art. 3(2)(a) may trigger the application of the GDPR. The EDSA does not elaborate on what is meant by “goods or services”. However, it clarifies that the Processing of employee data by a company not established in the EEA does not fall under Art. 3(2)(a) GDPR, even if the employees of the non-European company are resident in an EEA state:
In this case, […] the processing […] does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behavior) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3.
An offer is then only covered if there is an obvious intention to offer goods or services to persons in the EEA. This requires objective Circumstantial evidence For this purpose, the EDSA refers to recital 23 and the case law of the European Court of Justice, especially the Decision Alpenhof. The EDSA cites the following indications, which – depending on the circumstances, either individually or in combination – may be indicative of supply alignment:
- The explicit indication of a Member State in connection with an offer;
- Expenditure on placing an offer in the results of a search engine to target people in the EEA;
- advertising campaigns aimed at the EU;
- the international nature of an offer, e.g. certain tourist activities;
- the provision of own addresses or telephone numbers for contact from the EEA;
- the use of, from the provider’s point of view, foreign top-level domains such as “.de” or “.eu”;
- the indication of a route from the EEA to the place of performance;
- the indication of international clientele from EEA countries (“The mention of an international clientele composed of customers domiciled in various EU Member
States, in particular by presentation of accounts written by such customers”); - the use of a language or currency that is foreign from the provider’s point of view, especially a language or currency that is commonly used in one or more EEA countries;
- the offer of delivery to an EEA State.
Not sufficient would be, for example, the offer of a university (the EDSA cites the example of a university in Zurich) that offers master’s courses and requires sufficient knowledge of German and English for this:
A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency.
As there is no distinction or specification for students from the Union in the application and selection process for this Master degree, it cannot be established that the Swiss University has the intention to target students from a particular EU member states. The sufficient level of German and English is a general requirement that applies to any applicant whether a Swiss resident, a person in the Union or a student from a third country. Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing in question relates to the offer of an education service to data subjects in the Union, and such processing will therefore not be subject to the GDPR provisions.
In this context, the data subjects to whom the offer is directed must be physically present in the EEA, namely at the time the offer is made:
The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behavior is being monitored, regardless of the duration of the offer made or monitoring undertaken.
Then, in the case of an offer orientation, all data processing that has a connection with the offer falls under the GDPR. According to the EDSA, an “indirect” connection is also sufficient, but this is not explained in more detail.
Overall, the impression is that the EDSA general-international offers i.e. offers that are directed at an international audience, but without a special reference to the territory of the EEA (e.g. a website in English and with a .com domain). The EDSA does not state this so clearly; however, it mentions the following as an indication for the orientation of the offer “The mention of an international clientele composed of customers domiciled in various EU MemberStates.” The example of the university also points to this understanding.
Behavioral observation
Furthermore, a controller or processor without an establishment in the EEA may also be covered by the GDPR if it monitors the conduct of data subjects in the EEA. The EDSA first notes that despite Recital 24. not only behavior “on the Internet” recorded but also tracking in other ways:
While Recital 24 exclusively relates to the monitoring of a behavior through the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioral monitoring, for example through wearable and other smart devices.
However, in doing so, EDSA is concerned with operations in the vicinity of a Tracking or profiling:
As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject’s behavior, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration.
EDSA then provides the following examples where behavioral observation is possible:
- personalized advertising;
- Geolocation, especially for marketing purposes;
- Online tracking via cookies or similar technologies such as fingerprinting;
- personalized nutritional advice and health analysis online;
- Video surveillance;
- Market research and other behavioral analysis based on individual profiles;
- Monitoring or regular reporting of health status.
The EDSA by no means clarifies all open questions. However, it at least removes the ground for the widespread view that the use of cookies, for example, leads per se to behavioral monitoring. Rather, what is required is
- the collection of Data from persons in the EEA about their also Conduct occurring in the EEA,
- with the Intent,
- to collect these data in order to certain, planned way further use that reaches a certain intensity, in particular profiling.
To the EU representative
The EDSA also comments on the EU representative and states, among other things, the following:
- The representative is not a branch of the responsible party.
- The representative may be a natural person or a legal entity established in the EEA, e.g. a law firm, a consultant, a private company, etc. In the case of legal entities, it is recommended to designate a contact person, e.g. in the contract with the representative.
- The representative must be established in a state where the data subjects of the relevant activity are located (offerees/observed persons) (Art. 27(3) GDPR). If this applies to several states, but the majority of data subjects reside in a single state, the EDSA recommends that the representative should be appointed in that state. However, he or she must be easily accessible for data subjects.
- A representative can represent several companies. However, he or she cannot simultaneously perform the function of a data protection officer (DPO) for the same company.
- The representative’s task is to facilitate communication between the non-European company and the persons concerned or the authorities. He must therefore be able to communicate effectively with them, which requires, among other things, appropriate language skills.
More points
EDSA continues to hold:
- For companies without an establishment in the EEA, the one-stop mechanism under Art. 56 GDPR is not applicable.
- If the GDPR is applicable, it is in principle applicable as a whole, i.e. all provisions (and not, for example, only the principles of processing) apply;
- Companies outside the EEA must comply with the law of the Member States, which may provide for their own conflict-of-law rules.