Guidelines No. 3/2018 regarding the territorial scope of the GDPR – are non-EU entities subject to the GDPR?
The European Data Protection Board (EDPB), which is the successor of the Article 29 Working Party, has adopted guidelines No. 3/2018 last month regarding the territorial scope of the GDPR. Purpose of this document is to establish uniform interpretation of the provisions of the GDPR regarding the scope of its application and to resolve doubts of the entities processing personal data resulting from the application of Article. 3 and 27 of GDPR.
Until the commencement of application of the GDPR, the European regulations on the processing of personal data were applicable only to those entities that processed personal data within the EU. GDPR significantly expanded the circle of entities, which are obliged to act pursuant to the data protection rules resulting from the Regulation. Art. 3 of the GDPR refers to two criteria that determine the application of GDPR among administrators and processors, from outside the EU: territorial and personal. If at least one of them is met, it is necessary to process personal data in accordance with the requirements of the GDPR.
The GDPR will apply to the processing of data by the controller or the processor in connection with the activities carried out by its organizational unit located in the European Union. A local office, branch, subsidiary company, agency or bureau can be considered as an organizational unit (establishment) – the legal form is not decisive, but the activity itself (not only economic) within stable arrangements.
Importantly, EDPB emphasizes that it is not just about the processing of personal data directly by an organizational unit located in the EU, but also by another entity, if the processing is related to the activity of that unit. It does not matter whether data processing takes place in the EU or outside.
The GDPR will also apply to the processing of personal data by an organizational unit taking place on a territory where under public international law EU law is applicable.
As an example of an entity to which the GDPR would apply on the basis of a territorial criteria, EDPB indicates a Chinese e-commerce company that has an office in Berlin to conduct marketing campaigns targeting the EU market. Although all personal data is processed only in China, this processing will be subject to the GDPR due to the connection with the office in Berlin.
Even if the administrator or entity that processes personal data does not have organizational units in the EU, the processing of personal data by him will be subject to the GDPR when it is related to:
- free or unpaid offer of goods or services to data subjects in the EU,
- monitoring the behavior entities which are subjects to data in the EU.
According to EDPB, this type of data processing will take place e.g. in the case of:
- a non-EU entity offering EU citizens an application to visit European cities, which, based on data about its user, displays information about nearby attractions and restaurants,
- an online store that offers sales of goods to the EU, e.g. through delivery to EU countries, payments in the currency of an EU country, a infoline for EU users, etc.
Entities that are required to comply with the GDPR on the basis of a personal criteria may additionally be obliged pursuant to art. 27 sec. 1 of GDPR to appoint its representative in the EU.
Due to the complexity of the territorial problem of the scope of application of the GDPR, administrators and processors that process personal data, to which one of the above criteria may apply, should make a detailed analysis to determine whether they are obligated to comply with the GDPR. This applies in particular to those entities whose business is based on the international provision of services or the sale of goods.