Guidelines 03/2018 on Territorial Scope of Article 3 GDPR

SECTION  START   INTRODUCTION

The territorial scope of General Data Protection Regulation (the GDPR or the Regulation) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined byDirective 95/46/EC2. In part, the GDPR confirms choices made by the EU legislator and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. However, important new elements have been introduced. Most importantly, the main objective of Article 4 of the Directive was to define which Member State’s national law is applicable, whereas Article 3 of the GDPR defines the territorial scope of a directly applicable text. Moreover, while Article 4 of the Directive made reference to the ‘use of equipment’ in the Union’s territory as a basis for bringing controllers who were “not established on Community territory” within the scope of EU data protection law, such a reference does not appear in Article 3 of the GDPR.

Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of the rights of data subjectsin theEU and to establish, in terms of dataprotection requirement, a level playing field for companies active on the EU markets, in a context of worldwide data flows.

Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the “establishment” criterion, as per Article 3(1), and the “targeting” criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to relevant processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where Member State law applies by virtue of public international law.

Through a common interpretation by data protection authorities in the EU, these guidelines seek to ensure a consistent application of the GDPR when assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework. In these guidelines, the EDPB sets out and clarifies the criteria for determining the application of the territorial scope of the GDPR. Such a common interpretation is also essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPRfor a given processingactivity.

As controllers or processors not established in the EU but engaging in processing activities falling within Article 3(2) are required to designate a representative in the Union, these guidelines will also provide clarification on the process for the designation of this representative under Article 27 and its responsibilities and obligations.

As a general principle, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. These guidelines will specify the various scenarios that may arise, depending on the type of processing activities, the entity carrying out these processing activities or the location of such entities, and will detail the provisions applicable to each situation. It is therefore essential that controllers and processors, especially those offering goods and services at international level, undertake a careful and in concreto assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of the GDPR.

The EDPB underlines that the application of Article 3 aims at determining whether a particular processing activity, rather than aperson (legal or natural), falls within the scope of the GDPR. Consequently, certain processing of personal data by a controlleror processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not, depending on the processing activity.

These guidelines, initially adopted by the EDPB on 16 November, have been submitted to a public consultation from 23-rd November 2018 to 18th January 2019 and have been updated taking into account the contributions and feedback received.