Guidelines 03/2018 on Territorial Scope of Article 3 GDPR
SECTION 2 APPLICATION OF THE TARGETING CRITERION – ART 3 (2)
The absence of an establishment in the Union does not necessarily mean that processing activities by a data controller or processor established in a third country willbe excluded from the scope of the GDPR, since Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union, depending on their processing activities.
In this context, the EDPB confirms that in the absence of an establishment in the Union, a controller or processor cannot benefit from the one-stop shop mechanism provided for in Article 56 of the GDPR. Indeed, the GDPR’s cooperation and consistency mechanism only applies to controllers and processors with an establishment, or establishments, within the European Union.
While the present guidelines aim to clarify the territorial scope of the GDPR, the EDPB also wish to stress that controllers and processors will also need to take into account other applicable texts, such as for instance EU or Member States’ sectorial legislation and national laws. Several provisions of the GDPR indeed allow Member States to introduce additional conditions and to define a specific data protection framework at national level in certain areas or in relation to specific processing situations.
Controllers and processors must therefore ensure that they are aware of, and comply with, these additional conditions and frameworks which may vary from one Member State to the other. Such variations in the data protection provisions applicable in each Member State are particularly notable in relation to the provisions of Article 8 ( providing that the age at which children may give valid consent in relation to the processing of their data by information society services may vary between 13 and 16), of Article 9 (in relation to the processing of special categories of data), Article 23 (restrictions) or concerning the provisions contained in Chapter IX of the GDPR (freedom of expression and information; public access to official documents; national identification number; employment context; processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; secrecy; churches and religious associations).
Article 3(2) of the GDPR provides that “this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by processing activities carried out by a controller or processor not established in the Union which relate to two distinct and alternative types of activities provided that these processing activities relate to data subjects that are in the Union. In addition to being applicable only to processing by a controller or processor not established in the Union, the targeting criterion largely focuses on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis.
The EDPB stresses that a controller or processor may be subject to the GDPR in relation to some of its processing activities but not subject to the GDPR in relation to other processing activities. The determining element to the territorial application of the GDPR as per Article 3(2) lies in the consideration of the processing activities in question.
In assessing the conditions for the application of the targeting criterion, the EDPB therefore recommends a twofold approach, in order to determine first that the processing relates to personal data of data subjects who are in the Union, and second whether processing relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union.
a) Data subjects in the Union
The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed. Recital 14 confirms this interpretation and states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.
This provision of the GDPR reflects EU primary law which also lays down a broad scope for the protection of personal data, not limited to EU citizens, with Article 8 of the Charter of Fundamental Rights providing that the right to the protection of personal data is not limited but is for “everyone”.
While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), the EDPB considers that the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the Regulation.
The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.
The EDPB considers however that, in relation to processing activities related to the offer of services, the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR. In this case the processing is not related to the intentional targeting of individuals in the EU but relates to the targeting of individuals outside the EU which will continue whether they remain outside the EU or whether they visit the Union.
Example 8: An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively tousers located in Australia, who must provide an Australian phone numberwhen subscribing.
An Australian subscriber of the service travels to Germany on holidayand continues using the service.
Although the Australian subscriber will be using the service while in the EU, the service is not ‘targeting’ individuals in the Union, but targets only individuals in Australia, and so the processing of personal databy the Australian companydoes not fall within the scope of the GDPR.
Example 9: A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome.
The US start-up, via its city mapping application, is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2)a. Furthermore, by processing data subject’s location data in order to offer targeted advertisement on the basis of their location, the processing activities also relateto the monitoring of behaviour of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR as per Article 3(2)b.
The EDPB also wishes to underline that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behaviour (as further clarified below), must always be present in addition.
Moreover, it should be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union.
Example 11: A bank in Taiwan has customersthat are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers is not subject to the GDPR.
Example 12: The Canadian immigration authority processes personal data of EU citizens when entering the Canadian territory for the purpose of examining their visa application. This processing is not subject to the GDPR.
b) Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union
The first activity triggering the application of Article 3(2) is the “offering of goods or services”, a concept which has been further addressed by EU law and case law, which should be taken into account when applying the targeting criterion. The offering of services also includes the offering of information society services, defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.
Article 3(2)(a) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether a payment by the data subject is required. Whether the activity of a controller or processor not established in the Union is to be considered as an offer of a good or a service is not therefore dependent whether payment is made in exchange for the goods or services provided.
Example 13: A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in.
In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a.
Another key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union. Recital 23 of the GDPR indeed clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
The recital further specifies that “whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
The elements listed in Recital 23 echo and are in line with the CJEU case law based on Council Regulation 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, and in particular its Article 15(1)(c). In Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09), the Court was asked to clarify what it means to “direct activity” within the meaning of Article 15(1)(c) of Regulation 44/2001 (Brussels I). The CJEU held that, in order to determine whether a trader can be considered to be “directing” its activity to the Member State of the consumer’s domicile, within the meaning of Article 15(1)(c) of Brussels I, the trader must have manifested its intention to establish commercial relations with such consumers. In this context, the CJEU considered evidence able to demonstrate that the trader was envisaging doing business with consumers domiciled in a Member State.
While the notion of “directing an activity” differs from the “offering of goods or services”, the EDPB deems this case law in Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09) might be of assistance when considering whether goods or services are offered to a data subject in the Union. When taking into account the specific facts of the case, the following factors could therefore inter aliabe taken into consideration, possibly in combination with one another:
– The EU or at least one Member State is designated by name with reference to the good or service offered;
– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
– The international nature of the activity at issue, such as certain tourist activities;
– The mention of dedicated addresses or phone numbers to be reached from an EU country;
– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
– The description of travel instructions from one or more other EU Member States to the place where the service is provided;
– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
– The data controller offers the delivery of goods in EU Member States.
As already mentioned, several of the elements listed above, if taken alone may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union, however, they should each be taken into account in any in concreto analysis in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union.
It is however important to recall that Recital 23 confirms that the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the controller or processor’s intention to offer goods or a services to a data subject located in the Union.In this context, the EDPB recalls that when goods or services are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the territorial scope of the GDPR.
Example 14: A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany.
In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.
As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a).
In accordance with Article 27, the data controller will have to designate a representative in the Union.
Example 15: A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents.
In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3.
This assessment is without prejudice to the applicable law of the third country concerned.
Example 16: A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency.
As there is no distinction or specification for students from the Union in the application and selection process for this Master degree, it cannot be established that the Swiss University has the intention to target students from a particular EU member states. The sufficient level of German and English is a general requirement that applies to any applicant whether a Swiss resident, a person in the Union or a student from a third country. Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing in question relates to the offer of an education service to data subject in the Union, and such processing will therefore not be subject to the GDPR provisions.
The Swiss University also offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such service to data subjects who are in the Union, and the GDPR will apply to the related processing activities.
c) Monitoring of data subjects’ behaviour
The second type of activity triggering the application of Article 3(2) is the monitoring of data subject behaviour as far as their behaviour takes place within the Union.
Recital 24 clarifies that “[t]he processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”
For Article 3(2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.
The nature of the processing activity which can be considered as behavioural monitoring is further specified in Recital 24 which states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” While Recital 24 exclusively relates to the monitoring of a behaviour through the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.
As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behaviour, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration.
The application of Article 3(2)(b) where a data controller or processor monitors the behaviour of data subjects who are in the Union could therefore encompass a broad range of monitoring activities, including in particular:
– Behavioural advertisement
– Geo-localisation activities, in particular for marketing purposes
– Personalised diet and health analytics services online
– Market surveys and other behavioural studies based on individual profiles
– Monitoring or regular reporting on an individual’s health status
Example 17: A retail consultancy company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.
The analysis of a customers’ movements within the centre through Wi-Fi tracking will amount to the monitoring of individuals’ behaviour. In this case, the data subjects’ behaviour takes place in the Union since the shopping centre is located in France. The consultancy company, as a data controller, is therefore subject to the GDPR in respect of the processing of this data for this purpose as per its Article 3(2)(b).
In accordance with Article 27, the data controller will have to designate a representative in the Union.
Example 18: An app developer established in Canada with no establishment in the Union monitors the behaviour of data subject in the Union and is therefore subject to the GDPR, as per Article 3(2)b. The developer uses a processor established in the US for the app optimisation and maintenance purposes.
In relation to this processing, the Canadian controller has the duty to only use appropriate processors and to ensure that its obligations under the GDPR are reflected in the contract or legal act governing the relation with its processor in the US, pursuant to Article 28.
d) Processor not established in the Union
Processing activities which are “related” to the targeting activity which triggered the application of Article 3(2) fall within the territorial scope of the GDPR. The EDPB considers that there needs to be a connection between the processing activity and the offering of good or service, but both processing by a controller and a processor are relevant and to be taken into account.
When it comes to a data processor not established in the Union, in order to determine whether its processing may be subject to the GDPR as per Article 3(2), it is necessary to look at whether the processing activities by the processor “are related” to the targeting activities of the controller.
The EDPB considers that, where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals’ behaviour in the Union (‘targeting’), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3(2) in respect of that processing.
The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be madeby an entity acting as a controller. Such interpretation does not rule out the possibility that the processormay actively take part inprocessing activities related to carrying out the targeting criteria (i.e. the processor offers goods or services or carries out monitoring actions on behalf of, and on instruction from, the controller).
The EDPB therefore considers that the focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller.
Example 19: A Brazilian company sells food ingredients and local recipes online, making this offer of good available to persons in the Union, by advertising these products and offering the delivery in the France, Spain and Portugal. In this context, the company instructs a data processor also established in Brazil to develop special offers to customers in France, Spain and Portugal on the basis of their previous orders and to carry out the related data processing.
Processing activities by the processor, under the instruction of the data controller, are related to the offer of good to data subject in the Union. Furthermore, by developing these customized offers, the data processor directly monitors data subjects in the EU. Processing by the processor are therefore subject to the GDPR, as per Article 3(2).
Example 20: A US company has developed a health and lifestyle app, allowing users to record with the US company their personal indicators (sleep time, weight, blood pressure, heartbeat, etc…). The app then provide users with daily advice on food and sport recommendations. The processing is carried out by the US data controller. The app is made available to, and is used by, individuals in the Union. For the purpose of data storage, the US company uses a processor established in the US (cloud service provider)
To the extent that the US company is monitoring the behaviour of individuals in the EU, in operating the health and lifestyle app it will be ‘targeting’ individuals in the EU and its processing of the personal data of individuals in the EU will fall with in the scope of the GDPR under Art 3(2).
In carrying out the processing on instructions from, and on behalf of, the US company the cloud provider/processor is carrying out a processing activity ‘relating to’ the targeting of individuals in the EU by its controller. This processing activity by the processor on behalf of its controller falls within the scope of the GDPR under Art 3(2).
Example 21: A Turkish company offers cultural package travels in the Middle East with tour guides speaking English, French and Spanish.The package travels are notably advertised and offered through a website available in the three languages, allowing for online booking and payment in Euros and GBP. For marketing and commercial prospection purposes, the company instructs a data processor, a call center, established in Tunisia to contact former customers in Ireland, France, Belgium and Spain in order to get feedback on their previous travels and inform them about new offers and destinations. The controller is ‘targeting’ by offering its services to individuals in the EU and its processing will fall within the scope of Art 3(2).
The processing activities of the Tunisian processor, which promotes the controllers’ services towards individuals in the EU, is also related to the offer of services by the controller and therefore falls within the scope of Art 3(2). Furthermore, in this specific case, the Tunisian processor actively takes part in processing activities related to carrying out the targeting criteria, by offering services on behalf of, and on instruction from, the Turkish controller.