New EDPB’s Guidelines on the geographical application of the GDPR

With the publication of the Guidelines concerning the interpretation of Article 3 of EU Regulation no. 679/2016 (GDPR), the European Data Protection Board (EDPB) provided some clarifications on the territorial scope of the GDPR. Article 3 GDPR, in fact, provides for three different criteria for the application of the European privacy law: 1) the existence of an “establishment” in the EU; 2) the “targeting” criterion; 3) the applicability of a provision of public international law.

Under the establishment criterion, the GDPR applies to any processing of personal data, whether carried out by a data controller or a data processor – regardless of where the processing takes place and regardless of where the data controller and/or data processor’s offices are registered (which could therefore be outside the EU) – when such processing takes place “in the context of the activities of an establishment” located in the European Union. In this regard, any subject (natural or legal person, main office or branch, etc.) carrying out any real and effective activity – even a minimal one – within EU territory through a stable arrangement is considered an “establishment”. Further, in order to verify whether the processing is carried out “in the context of the activities” of the establishment, the amount of revenues obtained through the latter and the kind of relationship existing between the establishment and the data controller/processors located outside the EU can be considered as significant indicators. On this last point, in fact, the EDPB clarified that even if the local establishment is not actually taking any role in the data processing, carried out by the data controller/processors located outside the EU, the latter could nevertheless be inextricably linked to the activities of the establishment, and thereby may trigger the applicability of EU law[1].

As for the “targeting” criterion, focused on the geographical location of the data subjects, Article 3(2) provides that the GDPR applies to the processing of personal data concerning subjects physically located in the EU. On the contrary, the place where the data controller/processors are based has no relevance (in fact, they could also be located outside the EU). Under such conditions, the GDPR applies “where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as  far as their behaviour takes place within the Union”. The provision therefore merely requires that the data subjects are in the EU (European citizenship is instead not necessary) and the existence of this condition must be assessed at the moment when the relevant trigger activity takes place.

In order to assess whether an offer of goods or services is carried out, it is necessary to determine whether the data controller/processors have manifested their intention to establish commercial relations with the customers located in the EU. On this matter, the EDPB provides the following criteria: the designation of the EU or at least one Member State with reference to the goods or services offered; the use of a referencing service in order to facilitate access to its site by consumers in the Union; marketing and advertising campaigns directed at an EU country audience; the international nature of the activity at issue (such as tourist activities); the mention of dedicated addresses or phone numbers to be reached from an EU country;  domain names other than that of the third country in which the controller or processor is established (e.g. .it or  .eu); the description of travel instructions from one or more other EU Member States to the place where the service is provided; the mention of an international clientele composed of customers domiciled in various EU Member States; the use of a language or a currency other than that generally used in the trader’s country; the delivery of goods in EU Member States.

As for the monitoring, relevant indicators could be instead: behavioural advertising; geo-localisation activities (especially for marketing purposes); online tracking through cookies/fingerprinting/other means; personalised diet and health analytics services online; CCTV; market surveys and other behavioural studies based on individual profiles.

Thirdly, under Article 3(3), the GDPR applies to the processing of personal data carried out in a place where Member State law applies by virtue of public international law (e.g. EU member States’ consulates and embassies located outside the EU), regardless of where the data controller and/or processors have their registered offices. However, it must be recalled that in any case, the GDPR does not affect the application of the international conventions in force and the privileges and immunities provided for by the same.

Last but not least, these Guidelines provide some clarifications on the appointment of EU representatives by data controllers/processors based outside the EU, aimed at facilitating communications with the data subjects and national data protection authorities. On this matter, the EDPB first recalls that the designation of an EU representative is not mandatory when the processing a) is occasional and does not include, on a large scale, processing of special categories of data or personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons; or b) is carried out by a public authority or body. Apart from these cases, the designation of a representative in the EU (if possible, in the Member State where the greatest amount of data is processed) is mandatory, and the related identity and contact details must be indicated in the privacy policy. The EU representative must keep a register of the activities carried out in the EU and is responsible for the relevant processing, within the limits set out in Articles 30 and 58(1) of the GDPR.

[1] According to the example mentioned by the Guidelines “This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located”.