EDPB Issues Much-Awaited Guidance On GDPR's Territorial Scope

On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).

This is the first of two blogs on the guidelines. This blog considers the extra-territorial scope of the GDPR. Next week, we will consider the need for non-European Union (EU) controllers to designate a representative located in the EU.

Territorial scope

The GDPR has extra-territorial effect. This means it can apply to companies based outside of the EU.

GDPR applies to a non-EU-based company where that company:

Processes personal data in the context of the activities of an EU establishment (the establishment criterion); Processes personal data of an individual in the EU, for the purposes of either: (i) offering goods or services to that individual in the EU, or (ii) monitoring the behaviour of that individual in the EU (the targeting criterion); or Is subject to EU Member State law by virtue of public international law.This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity. This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.

The establishment criterion

The EDPB breaks this criterion down into three separate considerations.

The meaning of 'establishment' The EDPB clarifies that 'establishment' refers to the degree of stability of the arrangement between a non-EU-based company and a company located in the EU. The guidelines give the example of a U.S.-headquartered company with a branch and office in the EU to oversee its operations in Europe. This constitutes an EU establishment.

'Establishment' will be assessed on the facts, taking into account the specific nature of the economic activities and the provision of services. The mere fact that a company's website is accessible in the EU does not constitute an establishment in the EU.

  1. The processing must be 'in the context of' the establishment's activities

    For GDPR to apply, the activities of the EU establishment and the data processing activities of the non-EU company must be 'inextricably linked'.

  2. Geographical location

    It is irrelevant whether the processing takes place in the EU or whether the individual is located in the EU or is an EU citizen. If the above two considerations are satisfied, the GDPR will apply.

    The targeting criterion

    The EDPB breaks this criterion down into two...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT