Territorial scope of EU data protection law
The territorial scope of EU data protection law is determined by Article 3 of the GDPR and by CJEU case law.
Article 3 of GDPR defines territorial scope as follows:
“(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
The two main criteria to establish territorial scope under EU data protection law are the “establishment” criterion and the “targeting” criterion.
In addition, GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates. A Member State’s diplomatic or consular post, as a data controller or processor, would then be subject to all relevant provisions of the GDPR, including when it comes to the rights of the data subject, the general obligations related to controller and processor and the transfers of personal data to third countries or international organizations.
In summary, there are four reasons why processing might fall within the scope of the GDPR:
- the controller or processor is established in the EU
- the controller or processor offers of goods / services to data subjects in the EU
- the controller or processor monitors the behavior of people in the EU
- the controller is established in a place where EU law applies by virtue of public international law
Establishment in the EU
If an entity is subject to GDPR on the establishment criterion, neither the location of the processing nor the location of the data subject are relevant factors. The only two considerations are:
- The existence of an establishment in the EU
- The existence of processing in the context of the activities of such establishment
An establishment exists where there is real and effective activity exercised through stable arrangements. A non-EU entity without a branch or subsidiary in a Member State may be an establishment where the entity is acting in a state member in a “real and effective’ manner’. The degree of stability of the arrangements and the effective exercise of activities must be considered in the light of the specific nature of the economic activities and the provision of services concerned.
GDPR does not provide a definition of ‘establishment’ but recital 225 clarifies that an “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” This wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings.
Relevant CJEU case law includes:
- GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ (Google Spain a 2014 case): An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not required that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in the Member State are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that engine is the means enabling those activities to be performed.
- WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (Weltimmo a 2015 case): The concept of establishment must be interpreted broadly. The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor. The formalist approach whereby organizations are considered to be established solely in the place in which they are registered is not the correct approach. There is a 3-pronged test: (i) Is there an exercise of real and effective activity — even a minimal one? (ii) Is the activity through stable arrangements? and (iii) Is personal data processed in the context of the activity?
- GOOGLE LLC, v COMMISSION NATIONALE DE L’INFORMATIQUE ET DES LIBERTÉS (CNIL) (Google de-linking a 2019 case): The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing.”
- UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH (Facebook Fan Pages a 2018 case): Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Facebook’s services profitable, the activities of that establishment must be regarded as inextricably linked to the processing of personal data at issue in the main proceedings. Consequently, such treatment must be regarded as being carried out in the context of the activities of an establishment of the controller
Controllers and processors are subject to obligations under the GDPR whenever the processing is carried out “in the context of the activities” of its relevant establishments whether it is carried out “by” the relevant establishment or not. The determination of whether a processing is carried out “in the context of the activities” is made on a case-by-case basis taking into account the specific facts and in light of the relevant case law.
Official guidelines, from the European Data Protection Board, say that the test for “stable arrangements” is also broad:
“The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement … if that employee or agent acts with a sufficient degree of stability.”
Non-EU based organizations processing personal data must identify the potential links between the activity for which the data is being processed and the activities of any ‘establishment’ of the organization in the Union and consider the nature of these links. Factors to consider include:
- Relationship between a data controller or processor outside the Union and the local establishment in the EU.
- Revenue raising in the EU.
Although geographical location is is relevant with regard to the place of establishment it is not a relevant factor in regards to the processing activities themselves. Any personal data processing in the context of the activities of an establishment of a controller or processor in the Union falls under the scope of the GDPR regardless of the location or the nationality of the data subject whose personal data are being processed.
Controllers and processors within establishments in the EU must be considered separately because different and dedicated provisions or obligations apply to each. A processor established in the Union is required to comply with the GDPR ‘processor obligations’ even if the controller is not subject to GDPR. Where a processor is processing data of a non-established controller, the data may or may not be subject to GDPR itself but, if the processor is established and the processing takes place in the context of its establishment, the processor must comply with its GDPR obligations. This does not cause the non-EU controller to become subject to controller obligations. The relevant GDPR provisions to which the processor would be subject are:
- The obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR.
- The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law, as per Article 29 and Article 32(4).
- Where applicable, the processor shall maintain a record of all categories of processing carried out on behalf of a controller, as per Article 30(2).
- Where applicable, the processor shall, upon request, cooperate with the supervisory authority in the performance of its tasks, as per Article 31.
- The processor shall implement technical and organizational measures to ensure a level of security appropriate to the risk, as per Article 32.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach, as per Article 33.
- Where applicable, the processor shall designate a data protection officer as per Articles 37 and 38.
- The provisions on transfers of personal data to third countries or international organizations, as per Chapter V.
Offering goods and services or monitoring activities in the EU
Controllers or processors not established in the EU may be subject to EU data protection law under the “targeting criterion” which is met where:
- The data subjects are ‘located in the Union’
- The processing activities involve offering or goods and services or monitoring
The “processing activities” are to be considered on a case-by-case basis. Controllers and processors under the territorial scope of EU data protection law under the ‘targeting criterion’ are required to appoint a representative.
The application of the targeting criteria is not limited by the citizenship, residency or other type of legal status of the data subject. The requirement that the data subject be located in the Union is assessed at the moment when the relevant trigger activity takes place (i.e. at the moment of offering of goods or services or the moment when the behavior is being monitored) regardless of the duration of the offer made or monitoring undertaken.
In regards to offering goods or services, the key is whether the conduct on the part of the controller or processor demonstrates its intention to offer goods or a services to a data subject located in the Union (Recital 23 of the GDPR). Factors to be taken into consideration include:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertising campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
- The data controller offers the delivery of goods in EU Member States.
Whether the activity of a controller or processor not established in the Union is to be considered as an offer of a good or a service is not dependent on whether payment is made in exchange for the goods or services provided.
With regards to the monitoring of data subject behavior that takes place within the EU.
- The behavior monitored must relate to a data subject in the Union and the monitored behavior must take place within the territory of the Union.
- As opposed ‘offering of good and services’ (Article 3(2)(a) GDPR), there is no expressed requirement for the tracking to include a degree of intent. However, EDPB has taken the position that the use of the word “monitoring” implies a specific purpose ant that, therefore, not all online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”.
A broad range of activities can constitute monitoring including:
- Behavioral advertisement
- Geo-localization activities, in particular for marketing purposes
- Personalized diet and health analytic services online
- Market surveys and other behavioral studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
Applicability by virtue of international law
GDPR also applies where the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
An example would be an embassy or consulate of a EU Member State.
- Baker McKenzie summary (available as a downloadable pdf)
GDPR Art. 3 (Territorial scope) + Recitials (14) GDPR protection applies to natural persons whatever their nationality or residence (22) Processing by an establishment (23) Applicable to processors not established in the Union if data subjects within the Union are targeted (24) Applicable to processors not established in the Union if data subjects within the Union are profiled (25) Applicable to processors due to international law.