Recent Posts

Copyright Giulio Coraggio 2018

To which entities is the GDPR applicable? What is the territorial scope?

GDPR applicable

To which entities is the GDPR applicable? What is the territorial scope?

The GDPR is applicable to any business looking at the European Union, especially after the EDPB guidelines on territorial scope.

Updated on 29 November 2018, after the issue of the EDPB Guidelines on territorial scope of the GDPR (the “EDPB Guidelines on Territorial Scope”)

As part of my series of blog posts on the most relevant issues to consider in complying with the EU General Data Protection Regulation, here I discuss why not only European companies should care about it since the GDPR is applicable also to companies outside the EU. This is a very hot topic, especially after the issue of the issue of the EDPB Guidelines on Territorial Scope that are now subject to a consultation that will end on 18 January 2019.

The GDPR applicability for data processing “in context of the activities of an establishment in the EU

The EU Data Protection Directive 95/46 applied to data controllers that are established in the European Union with the consequence that for instance US companies with no EU establishment could be considered to be excluded, unless other criteria of applicability applied.

On the contrary, the European General Data Protection Regulation refers to

the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

This provision requires, according to the EDPB Guidelines on Territorial Scope, to determine what an establishment in the European Union is. This circumstance does not depend on the adopted legal form. And for instance, it is not possible to conclude that the non-EU entity has an establishment in the Union merely because

  • its website is accessible from the EU;
  • it has designated an EU representative in accordance with GDPR; or
  • it uses a data processor established in the EU.

According to the EDPB Guidelines on Territorial Scope, the GDPR is applicable when

  • there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller, regardless of whether the EU establishment plays a role in that processing of data.

  • there is a revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU.

The interpretation of the EDPB is at least arguable since it might to extend the applicability of the GDPR to any business that has directly or indirectly a presence in the European Union (e.g. through an EU based marketing entity), even if no data processing activity relating to the non-EU business is performed through such presence.

What shall data controllers and data processors do?

The consequence of the above is that, according to the EDPB Guidelines on Territorial Scope,:

  • if there is a non-EU established data processor that processes data on behalf of an EU established data controller, a GDPR compliant data processing agreement shall be entered between the parties to regulate the data transfer;
  • If there is an EU established data processor that processes data on behalf of a non-EU established data controller, the controller will not become subject to the GDPR controller obligations simply because it chooses to use an EU processor. But, the processor will still be subject to the GDPR provisions directly applicable to data processors, including the obligations to (i) enter into a data processing agreement (ii) process data only on instructions from the controller (iii) maintain a record of all categories of processing carried out on behalf of a controller (iv) implement technical and organisational measures to ensure a level of security appropriate to the risk, also appointing a DPO and (v) adopt GDPR compliant data transfer agreements.

This interpretation might lead to a potential discrimination of EU established data processors that would be subject to stricter obligations than their competitors, even if they offer services to entities to which the GDPR is not applicable.

The targeting principle for non-EU establishments can still make the GDPR applicable

The expanded concept of privacy establishment is a minor change, if compared to the massive effects that can derive from the targeting principle. According to such rule, the General Data Protection Regulation applies to the processing of personal data of data subjects who are in the European Union performed by a data controller or a data processor not established in the EU where the processing activities are related to

the offering of goods or services – irrespective of whether they are free of charge or require a payment – to such data subjects in the EU

The rationale is to protect European citizens regardless of the place where the company offering the goods and services is located which in a global economy and with the ubiquity of the Internet might be everywhere in the world.

The consequence of the above is that a US or an Asian Internet company with no establishment in the European Union, but actively promoting and selling its products to EU customers is likely to be required to comply with EU data protection law. However, in order to prevent that companies with no relevant business in the EU from just stopping their sales in the EU, the GDPR clarifies that in order to assess whether it is applicable, it should be assessed if

it is apparent that the controller is envisaging the offering of services to data subjects in one or more Member States in the Union“.

What shall data controllers and data processors do?

According to EDPB Guidelines on Territorial Scope, the following factors to be considered in assessing whether the requirements of the targeting principle are met:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States.

The EDPB clearly excludes from the applicability of the GDPR, data processing activities that are merely incidental e.g. an App that is dedicated to tourists in the US which is purchased in the US and brought in the EU, but other scenarios might remain unclear.

If a non-EU entity monitors users in the EU, the EU General Data Protection Regulation might apply

The last criteria that makes the GDPR applicable is

the monitoring of their behavior as far as their behavior takes place within the EU.

According to the EDPB Guidelines on Territorial Scope, the behaviour monitored must first relate to a data subject in the European Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the European Union. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.

What shall data controllers and data processors do?

The EDPB listed among scenarios where the GDPR can be applicable according to such criterion the following:

  • behavioural advertising, like the one run through cookies  and fingerprinting technologies
  • Geo-localisation activities, in particular for marketing purposes
  • Online tracking through the use of cookies (Read on the topic “Sites ready for new Italian privacy cookies rules?“) or other tracking techniques such as fingerprinting (Read on the topic “Fingerprinting treated like cookies under privacy law“)
  • Personalised diet and health analytics services online
  • CCTV
  • Market surveys and other behavioural studies based on individual profiles
  • Monitoring or regular reporting on an individual’s health status

These categories are extremely broad and my concern is that they might apply to any company running a website, risking to make the GDPR applicable to the whole Internet.

The obligation to appoint an EU representative for non-EU entities under the GDPR

The role and responsibilities of EU representatives under the European privacy law has always been quite unclear. Data controllers and processors established outside the EU but subject to GDPR are required to designate a representative in the EU, unless the processing is occasional, does not include on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences where the term “occasional” has not been clarified EDPB Guidelines on Territorial Scope. 

According to the EDPB, the EU representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective as well as the communication with the data protection supervisory authorities. And for this purpose, it shall maintain a record of processing activities under the responsibility of the controller or processor.

What shall data controllers and data processors do?

The interpretation of the role of the EU representative arising from the GDPR appeared in my view more as a mere point of contact. On the contrary, the EDPB wants to increase its relevance even expressly providing that authorities might start enforcement actions against a representative in the same way as against controllers or processor which includes the possibility to impose administrative fines and penalties, and to hold the GDPR EU representatives liable.

This is a massive change that can be highly criticised since making the EU representative liable will not make enforcement more effective since companies might find ways to by-pass the enforcement.

This is one of the most relevant aspects to be addressed as part of the current consultation on the EDPB Guidelines on Territorial Scope. Indeed, it seems to me that the EDPB is trying to go beyond what provided by the European General Data Protection Regulation, imposing obligations that might be difficult to manage for any business.

You may find also interesting on the same topic, my series of articles on the different aspects of the GDPR.

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

#21 Privacy information notice: how to make it transparent when it’s complex?

#22 How direct marketing changes wih the GDPR?

If you found this article interesting, share it on your favourite social media and register to our newsletter ✉️ Also don’t forget to try Prisca our GDPR chatbot 💬 described HERE

Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+
Giulio Coraggio
[email protected]

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world leading law firm DLA Piper. Top global IoT influencer and FinTech lover, finding solutions to what's next for our clients' success.