The European Data Protection Board Issues Guidelines On GDPR's Territorial Scope

The European Data Protection Board ("EDPB" or the "Board") recently released new draft Guidelines 3/2018 on the territorial scope of the European Union's ("EU") General Data Protection Regulation ("GDPR") (the "Guidelines"). The Guidelines are intended to provide a common interpretation of Article 3 of the GDPR, and provide further clarification on the application of the GDPR-particularly where the data controller or processor is established outside of the EU. The EDPB has published this first version of the Guidelines to allow for public consultation about its contents until January 18, 2019, at which time the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. The Guidelines are intended to assist both relevant data protection authorities and businesses by providing a common interpretation on the scope of application of the GDPR. We've broken them down and highlighted some of the key insights from the Board.

One of the biggest changes in the GDPR (as compared to the EU's Data Protection Directive (EU 95/46/EC), which it replaces) is its jurisdictional scope. Article 3 defines the territorial scope of the GDPR, explaining that the GDPR applies on the basis of three criteria:

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Although the Guidelines provide analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, as well as additional clarification about the requirement for controllers and processors not established in the EU to appoint a representative, of primary relevance to most businesses are the discussion and examples relating to the "establishment" criterion, as set forth in Article 3(1), and the "targeting" criterion as set forth in Article 3(2). We have outlined the key information presented in the Guidelines below.

Key Issues Addressed by the Guidance

Article 3(1): The Establishment Criterion

The first criterion for falling within the scope of the GDPR is where a controller or processor processes personal data "in the context of the activities of an establishment . . . in the Union." The EDPB recommends a threefold approach to determining whether an organization is subject to the GDPR under Article 3(1):

Consideration 1: "An establishment in the Union" Consideration 2: Processing of personal data carried out "in the context of the activities of" an establishment Consideration 3: Application of the GDPR to the establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Each of these considerations is addressed in further detail below.

Consideration 1: "An establishment in the Union" The Guidelines point out that although the GDPR does not expressly define the term "establishment" for the purpose of Article 3, Recital 22 states that an "[e]stablishment implies the effective and real exercise of activities through stable arrangements". The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

The Guidelines explain that when determining whether an "establishment" exists, "both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be...