Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

Draft GDPR Territorial Scope Guidelines Released

November 27, 2018

The European Data Protection Board (EDPB) has released draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) for public consultation and is welcoming comments until January 18, 2019.  These guidelines have been long awaited by Canadian-based companies that, while having no physical presence in the EU, have been struggling to determine whether they are subject to the GDPR anyway by virtue of Article 3(2), which extends the application of the GDPR to controllers and processors not established in the Union but that (a) offer goods or services to EU data subjects or (b) monitor their behavior which takes place in the EU.  

In relation to Article 3(2), the guidelines recommend a two-fold approach:

  1. determine whether the processing relates to personal data of data subjects who are in the EU, and
  2. determine whether the processing relates to the offering of goods or services or to the monitoring of data subjects' behaviour in the EU.

Data subjects in the EU

In determining whether data subjects are in the EU, the guidelines highlight the following:

  • "While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2)... the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the GDPR." (In other words, the GDPR will apply if a data subject is in the EU, regardless of nationality or legal status.);
  • "The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.";
  • "[T]he fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union.  The element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behaviour... must always be present in addition." [emphasis added]; and
  • "[T]he processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union."

Offering of goods or services to EU data subjects

In determining whether goods and services are being offered to EU data subjects, the guidelines list factors that could inter alia be taken into consideration, possibly in combination with one another:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ".de", or the use of neutral top-level domain names such as ".eu";
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU Member states; and
  • The data controller offers the delivery of goods in EU Member States.

The guidelines go on to state that "[s]everal of the elements listed above, if taken alone may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union, however, they should each be taken into account in any in concreto analysis in order to determine whether the combination of factors relating to the data controller's commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union."

Finally, in relation to the offering of goods or services to EU data subjects, the guidelines emphasize that: "It is however important to recall that Recital 23 confirms that the mere accessibility of the controller's, processor's or an intermediary's website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the controller or processor's intention to offer goods or a services to a data subject located in the Union."

Monitoring of EU data subjects' behaviour

As for monitoring the behavior of EU data subjects that takes place in the EU, the guidelines state that: "The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as "monitoring". It will be necessary to consider the controller's purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data."  The guidelines identify the following activities as examples of "monitoring":

  • Behavioural advertisement;
  • Geo-localisation activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalised diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioural studies based on individual profiles; and
  • Monitoring or regular reporting on an individual's health status.

In addition to clarifying the scope of application of Article 3(2), the guidelines also describe the meaning of the "establishment" criterion within the meaning of Article 3(1) and offer further clarity on situations where a controller is not established in the EU, but is in a place where Member State law applies by virtue of public international law, and therefore is subject to GDPR by virtue of Article 3(3).

We will be commenting on these guidelines briefly on our next monthly call scheduled for tomorrow, November 28, 2018 at 11:30 a.m. EST.

GDPR Share This