EDPB Publishes Guidelines On Territorial Scope For Public Consultation

King & Spalding
Contact

On November 16, 2018, the European Data Protection Board (“EDPB”), the General Data Protection Regulation (“GDPR”) successor of the Art. 29 Data Protection Working Group, released its long-awaited Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”) for public consultation.  While not final, the Guidelines already address several pressing issues regarding the GDPR’s (extra) territorial application.  This article summarizes the EDPB’s advice on some of the most frequently asked questions about these issues since the GDPR entered into force on May 25, 2018.

The GDPR’s territorial scope is stipulated in Article 3 of the GDPR.  The first paragraph of the provision addresses the GDPR’s application to companies established in the European Union (“EU Controller” or “Processor”), and in the second paragraph, GDPR’s extraterritorial application to companies not established in the EU (“Foreign Controller” or “Processor”).  Whilst the wording of the provision initially appears to be straightforward—GDPR either applies if data are processed through an establishment in the EU or if a Foreign Controller or Processor targets or tracks data subjects in the EU—the application of this provision has caused companies across all industries a headache in day-to-day practice.

The following three issues seem to be amongst those which arise most frequently in practice:

  1. EU Controllers wonder whether the personal data of data subjects living outside the EU must be processed in accordance with GDPR principles.  For example, must a European based reinsurance company inform Chinese policy holders about the processing of their data under a reinsurance contract with the Chinese insurer pursuant to Article 14 (information to be provided where personal data have not been obtained from the data subject)?
  2. As the first sentence of Article 3(1) refers to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union,” it was unclear whether GDPR may apply to Foreign Controllers just because they retain an EU Processor.  Some sources argued that an EU-based vendor “taints” the foreign processing activities of a Foreign Controller and makes them subject to GDPR.
  3. Foreign Controllers in different industries, including financial institutions, hotels or hospitals, have been challenged by the question of whether they have to comply with GDPR when dealing with EU citizens, e.g., when accepting European investors, guests or patients in their respective home countries.

In practice, there has been a high level of uncertainty about how to deal with these issues.  Now, the EDPB’s Guidance provides some answers to these questions.

On the first question as to whether non-EU citizens may benefit from the protections of GDPR, the EDPB notes that “the text of Article 3(1) does not restrict the application to the processing of personal data of individuals who are in the Union.”  It concluded, therefore, that GDPR applies to EU Controllers and Processors “regardless of the location or the nationality of the data subject whose personal data are being processed.”  This means that the duties under GDPR to provide information about processing—as well as all other GDPR provisions —are likely to apply to data subjects in foreign countries, subject to the application of specific derogations, in Article 14(5), for example the disproportionate effort involved in providing such information, or the requirement to keep data confidential due to a secrecy obligation derived from EU or member state law.

Regarding the second issue as to whether retaining an EU-Processor may bring Foreign Controllers within the GDPR’s reach, the EDPB has voiced its strong opinion that the retention of an EU Processor does not automatically subject the Foreign Controller to GDPR.  The EDPB stressed that a Foreign Controller “will not become subject to the GDPR simply because it chooses to use a processor in the Union.”  In this constellation, only the EU Processor must comply with the GPPR requirements imposed on it directly, for example in Article 28, which deals with the obligations on vendors who process personal data on behalf of a Data Controller. The EDPB provided a full list of directly applicable provisions in the Guidelines (see page 11 of the Guidelines).

As to the third issue about whether Foreign Controllers have to comply with the GDPR when dealing with EU citizens, the EDPB clarified that this section is limited to the processing of data of individuals who are “in the Union.”  Therefore, the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR as long as the Foreign Controllers or Processors do not specifically “target” or “track” individuals in the EU pursuant to Article 3(2) a) or b).  U.S. funds, hotels or hospitals that are available to EU investors, guests or patients from the EU, but do not specifically target or track them, do therefore not fall under GDPR.

The Guidelines also provide further helpful rules to assess the threshold definition of an “establishment” of a controller or processor and when the rules around “targeting” or “tracking” of data subjects in the EU apply.  The EDPB also clarified that, once GDPR applies, there can be no cherry picking regarding the respective rights and obligations, but that “all provisions of the Regulation apply to such processing,” including, as the case may be, the appointment of a Data Protection Officer (“DPO”) pursuant to Article 37, or, in case of an extraterritorial application, the designation of a representative in the EU pursuant to Article 27.

Whilst the EDBP confirmed that the function of a representative can be exercised by a wide range of commercial and non-commercial entities based on a service contract, including law firms or consultancies, it has confirmed its view that the function of a representative in the Union is incompatible with the role of an external DPO.  In the EDPB’s view, there are different requirements for the two roles: whereas the representative acts under the direct instruction of the management, the DPO has to fulfill its role with a sufficient degree of autonomy and independence. Therefore, Foreign Controllers or Processors subject to the application of these provisions may be required to appoint two (external) service providers in the EU to comply with GDPR requirements.

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide