European Regulator Issues Draft Guidelines on Territorial Scope of GDPR

November 26, 2018Alerts

Does the EU General Data Protection Regulation (GDPR) apply to me? This is a question with which many U.S.-based companies have been grappling since the GDPR took effect on May 25. Six months later, the European Data Protection Board (EDPB) has issued, for public comment, guidelines on the territorial scope of GDPR.

Below is a breakdown of the major questions and takeaways for US-based companies and multinationals:

1. Do you have an 'establishment in the Union'?

  • You could be deemed to have an establishment in the Union (and subject to GDPR) even if you do not have a branch or subsidiary in an EU member state.
  • Any real and effective activity, even a minimal one, could satisfy the notion of establishment for the purpose of Article 3(1) jurisdiction, even, in some cases, the presence of a single employee.
  • Just having a website accessible from Europe is not enough.

2. (If you have an EU establishment) Is your data processing carried out 'in the context of its activities'?

  • GDPR will apply to your data processing if there is an inextricable link between the activities of an EU establishment and the processing of data carried out by you (a non-EU entity).
  • As non-EU controller, you will not become subject to GDPR simply because you chose to use a processor (a service provider carrying out the data controller's instructions) in the Union.
  • If you are a controller subject to GDPR and you choose to use a processor located outside the Union and not subject to the GDPR, you will need to ensure by contract that the processor processes your data in accordance with the GDPR.

3. If you do not have an establishment in the EU  ̶  do you offer products or services to individuals in the EU? (Art 3(2))?

a) “In the EU" means physically located in the EU at the time of the offering of goods or services (or the monitoring of behavior, see below). Not citizenship. Not residence.
b) Does the processing relate to (1) the offering of goods or services or (2) to the monitoring of data subjects’ behavior in the Union

(1) Do you offer Goods or Services?

  • In order to fall in scope, you need to manifest your intention to establish commercial relations with consumers in the EU. For this, the EDPB uses the concept of “directing an activity” to the EU market, developed in case law by the Court of Justice of the EU (CJEU) with respect to jurisdictional matters. Payment for the services, however, is not required.
  • Some non-exhaustive factors, taken possibly in combination with one another, include:
    • marketing and advertisement campaigns directed at an EU country audience
    • mentioning dedicated addresses or phone numbers to be reached from an EU country
    • using an EU or member state top-level domain name
    • mentioning customers domiciled in various EU member states, including client testimonials
    • using an EU language or a currency
    • offering the delivery of goods in EU member states.


(2) Do you monitor behavior of individuals in the EU?

  • Monitoring can be done both on the internet and through other types of networks or technology involving personal data processing, for example through wearable and other smart devices.
  • Monitoring activities include:
    • behavioral advertising
    • geo-localization activities, in particular for marketing purposes
    • online tracking through the use of cookies or other tracking techniques such as fingerprinting
    • personalized diet and health analytics services online
    • CCTV
    • market surveys and other behavioral studies based on individual profiles
    • monitoring or regular reporting on an individual’s health status


4. Do you need to appoint a representative in the Union?

If you are a non-EU controller or processor that is subject to GDPR, you are required to appoint a representative in the Union, unless an exception applies. Local representatives may be held liable for the non-EU entity’s breaches and may be subject to administrative fines and penalties.

If you are not a public authority, you would be obligated to appoint a representative unless your processing is “occasional” and “does not include, on a large scale, processing of special categories of data....or processing of personal data relating to criminal convictions and offences...”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons." The EDPB does not elaborate on these and refers to criteria listed in the WP29 guidance on DPOs for the definition of "large scale processing" (e.g. factors like the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity.

The appointed representative should be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

To speak about whether GDPR applies to you and what are the next top steps you should take on your road to GDPR compliance, please contact Odia Kagan, Partner, Chair of GDPR Compliance and International Privacy, [email protected]; 215-444-7313.