European Data Protection Board Issues Final Guidelines on Extraterritorial Application of GDPRNovember 14, 2019 – Alerts
The European Data Protection Board has issued long-awaited final guidelines for the extraterritorial application of the General Data Protection Regulation (GDPR).
(1) GDPR can apply extraterritorially to some streams of data processing and not others, and not to the entire entity.
(2) GDPR applies to many non-European Union (EU) data processors, including cloud storage providers for data processing activities captured by GDPR. This means non-EU data processors will need to look for compliance with the GDPR data processor obligations not subsumed in the Article 28 data processing addenda, including:
- Article 27 representative in the Union
- Article 30 record of processing activities.
Key changes in more detail:
GDPR Can Apply to a Specific Process, Not to an Entire Entity
- Article 3 determines whether a particular processing activity, rather than a person (legal or natural), falls within the scope of the GDPR. Consequently, certain processing of personal data by a controller or processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not.
- When a non-EU entity has an employee based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of GDPR.
- A processing activity which, when carried out by a controller, falls within the scope of the GDPR by virtue of Article 3(1) will not fall outside the scope of the Regulation simply because the controller instructs a processor not established in the Union to carry out that processing on its behalf.
Targeting the EU
- Concerning processing activities related to the offer of services, the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR.
- Processing a data subject’s location data in order to offer targeted advertisements on the basis of their location relates to the monitoring of behavior of individuals in the Union and falls within the scope of the GDPR as per Article 3(2)b.
- Scenario: a U.S. company, without any establishment in the EU, processes personal data of its employees who were on a temporary business trip to EU member states for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance. This processing activity is necessary for the employer to fulfill its contractual obligation and human resources duties related to the individuals' employment and does not relate to an offer of service. It is therefore not subject to the provisions of the GDPR as per Article 3(2)a.
Processors Outside the EU
- When it comes to a data processor not established in the Union, in order to determine whether its processing may be subject to the GDPR as per Article 3(2), it is necessary to look at whether its processing activities “are related” to the targeting activities of the controller.
- Where processing activities by a controller relate to the offering of goods or services or to the monitoring of individuals’ behavior in the Union ("targeting"), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Article 3(2) in respect of that processing.
This includes a cloud storage provider for a company that is targeting individuals in the EU under 3(2).
- The focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller.
- The EDPB will also further assess the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V. Additional guidance may be issued in this regard, should this be necessary.
- Controllers or processors not established in the EU will be required to comply with their own country's national laws in relation to the processing of personal data. However, where such processing relates to the targeting of individuals in the Union as per Article 3(2) the controller will, in addition to being subject to its country’s national law, be required to comply with the GDPR.
- When several processing activities of a controller or processor fall within the scope of Article 3(2) GDPR (and none of the exceptions of Article 27(2) GDPR apply), that controller or processor is not expected to designate several representatives for each separate processing activity falling within the scope of Article 3(2).
- A local representative cannot serve as the same company's Data Protection Officer (DPO).
- Occasional: a processing activity can only be considered “occasional” if it is not carried out regularly and occurs outside the regular course of business or activity of the controller or processor.
- The exemption from the designation obligation as per Article 27 refers to processing “unlikely to result in a risk to the rights and freedoms of natural persons” thus not limiting the exemption to processing unlikely to result in a high risk to the rights and freedoms of data subjects. In line with Recital 75, when assessing the risk to the rights and freedom of data subjects, considerations should be given to both the likelihood and severity of the risk.
- For Clinical Trials: The representative of the sponsor in the Union could be the legal representative of the sponsor in the Union, as per Article 74 of Regulation (EU) 536/2014 on clinical trials, provided that it does not act as a data processor on behalf of the clinical trial sponsor, that it is established in one of the member states from which data is processed and that both functions are governed by and exercised in compliance with each legal framework.
- Article 30 Records of Processing Activities: The obligation to maintain Article 30 records of processing activities is a joint obligation imposed on both the controller or processor and the representative. The controller or processor not established in the Union is responsible for the primary content and update of the record and must simultaneously provide its representative with all accurate and updated information so that the record can also be kept and made available by the representative at all time. At the same time, it is the representative's responsibility to provide it in line with Article 27, e.g. when being addressed by a supervisory authority according to Article 27(4).
- Communication between the Art 27 representative and the data protection authorities should, in principle, take place in the language or languages used by the supervisory authorities and the data subjects concerned. If this results in a disproportionate effort, other means and techniques shall be used by the representative in order to ensure effective communication.
- Data Protection Authorities may address corrective measures or administrative fines and penalties imposed on the non-EU controller or processor to the Article 27 representative in accordance with Articles 58(2) and 83 of the GDPR. The ability to hold a representative directly liable is however limited to its direct obligations referred to in Articles 30 and 58(1) a of the GDPR.
- The EDPB highlights that Article 50 of the GDPR notably aims at facilitating the enforcement of legislation in relation to third countries and international organization, and that the development of further international cooperation mechanisms in this regard is currently being considered.
Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.