On November 16, 2018, the European Data Protection Board (EDPB) adopted guidelines on the territorial application of the GDPR. Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU- Version for public consultation. The guidelines are now open to public consultation.
The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data controller or processor is established outside of the EU.
The EDPB sets out and clarifies the criteria for determining whether the controller or the processor have an “establishment in the Union” (GDPR Article 3.1), the meaning of “offering of goods or services” to data data subjects in the Union (the EDPB uses for the first time expressly the concept of “targeting”) (Article 3.2(a)) and of “monitoring” (which must be purposeful and aiming at profiling (Article 3.2(b)). The document also deals with the processing of personal data where UE law applies by virtue of public international law. Article 3.3.
Significantly, the Guidelines also explain that having a processor in the EU does not amount to having an establishment there.
In addition, the Guidelines also deal with the process for the designation of a representative in the Union under Article 27 of GDPR for those organizations without an establishment but subject to the GDPR per Article 3.2; the Guidelines also clarifies the role of this representative.
The EDPB recommends that non-EU organisations undertake an assessment of their processing activities, determining whether personal data of EU data subjects are being processed, and what this processing relates to. If links are identified, the nature of these links will generally be key in determining whether the GDPR applies to the processing in question.
The Guidelines offer several examples which can guide controllers and processors in deciding whether the GDPR applies to them.
The Guidelines are important and contain many important clarifications – which we will have the opportunities to comment more soon – but leave several issues unanswered, for example, the meaning of “occasional” processing which is one of the elements of the exception to the duty of appointment of a representative in the Union and more importantly, the precise extent of “in the context of the activities of an establishment in the Union” in certain cases in which the linkage is loose. The EDPB tells us that the language “cannot be interpreted restrictively” but “should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law” Guidelines at 6. It is a fundamental point because while the EDPB tells us “The text of Article 3.1 does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union” it was probably not the intention of the GDPR to attract under itself the processing of data of non EU residents, only because the organization happens to have a minimal establishment in the EU.
Let’s imagine the case of a tour operator from Japan that is dedicated to Japanese clientele and organizes trips all over the world for its Japanese customers, booking for them flights and hotels. Let’s imagine that they have a person based in Spain (exactly as they have in other parties of the world) that is dedicated to solve the possible issues that the Japanese customers might encountered in Spain. This person might interact, for example, with 2% of the entire customers of the tour operators and the relevant data of this interaction is processed in Japan, together with the data of all the other 98% of customers. It might be said that through this person there is a “real and effective activity – even a minimal one” in the Union (p. 6) and that the processing that is done in relation to this 2% of Japanese customers must be subject to the GDPR. However, the problem is the following: is the processing of the remaining 98% of customers also subject to the GDPR? The Guidelines don’t seem to answer to this question.