By Jennifer Ruehr and Susan Lyon-Hintze
Non-EU organizations that process personal data as data controllers or processors frequently ask whether they are subject to the General Data Protection Regulation (“GDPR”). The answer depends in part on the “territorial scope” provisions in Article 3 of the GDPR. Organizations fall under the territorial scope of the GDPR when they meet one of two main criteria: the “establishment” criterion under Article 3(1) or the “targeting” criterion under Article 3(2).
On November 16, 2018, the European Data Protection Board (“EDPB”) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)-Version for public consultation.” These guidelines provide interpretation and clarification of the Article 3 criteria that can help organizations understand and evaluate how the GDPR applies to their data processing.
As part of determining if its activities fall under the GDPR’s territorial scope, an organization must ascertain whether personal data is processed “in the context of the activities of an establishment of a controller or processor in the Union” under Article 3(1). The EDPB notes that processing may be in the context of an establishment’s activities whether the processing takes place in the EU or not. Article 3(1) may apply to either controllers or processors having an establishment in the EU and each should be considered separately.
Establishment through “Stable Arrangements”
GDPR’s Recital 22 states that “establishment implies the effective and real exercise of activities through stable arrangements.” The EDPB guidance explains that a “stable arrangements” determination is contextual. The arrangement and activities must be “considered in light of the specific nature of the economic activities and provision of services concerned.” And, that the threshold for “stable arrangement” can be “quite low when the centre of activities of a controller concerns the provision of services online” although it clarifies that maintaining a website accessible in the Union is not on its own enough to create a stable arrangement. For example, the EDPB describes a U.S headquartered company with a branch office in the EU that oversees all the company’s European operations, including marketing and sales, as a “stable arrangement.” The EDPB also states, “….in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”
Establishment through “Inextricably Linked Activities”
The EDPB also clarifies that an organization located outside the EU and processing personal data outside the EU may still be subject to the GDPR through a relationship with a local establishment in the EU, even if the local establishment does not participate in any data processing. So long as the local establishment in the EU and the data processing of a data controller or processor outside the EU are “inextricably linked,” the non-EU entity may be considered established in the EU.
As an example of what may be considered “inextricably linked,” the EDPB describes sales and marketing activities of a local establishment aimed at an EU market tied to data processing by a related establishment outside the EU.
The EDPB also clarifies that if a related establishment in the EU processes personal data of any data subject, regardless of the location or nationality of the data subject, the processing will be subject to the GDPR.
Hiring of EU Vendors by Non-EU Organizations
If a non-EU organization that is not itself an “establishment” (or “targeting” EU data subjects under Article 3(2) as summarized below) employs processors established in the EU, that organization does not subject itself to the territorial scope of the GDPR by merely hiring a vendor with an establishment in the EU.
According to the EDPB, that EU-established processor will be within the GDPR’s territorial scope under Article 3(1) with respect to its activities as a processor. Thus, the non-EU organization hiring the vendor must consider the vendor’s obligations as a processor to comply with the GDPR requirements applicable to processors, including certain Article 28 contract requirements, and whether those obligations align with its business objectives. While an EU-established processor is required to act under a contract that meets the requirements of Article 28, the processor need not agree to assist with the controller’s GDPR obligations where no such GDPR obligations exist for the controller.
A non-EU-established controller should also consider that an EU-established processor must abide by applicable GDPR provisions when processing personal data of any data subject regardless of where the data subjects reside or are located. For example, if a U.S. controller hires an EU-established processor to process data of U.S. data subjects, the EU-established processor will be required to comply with the GDPR with respect to that processing.
An organization not established in the EU under Article 3(1), may still be subject to the GDPR if it is targeting EU data subjects under Article 3(2). The territorial scope of the GDPR also applies to controllers or processors “not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Data Subjects in the Union
The territorial scope provisions of Article 3(2) are more narrowly scoped than in Article 3(1). Article 3(1) applies to personal data processing relating to any natural person regardless of their nationality or place of residence if the organization meets the establishment criteria. The scope of Article 3(2) is limited to “data subjects in the Union.” The EDPB explains that determining whether an individual is a “data subject in the Union” “must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering goods or services or the moment when the behavior is being monitored…” As an example, if an organization not established in the EU offers a good or service that collects the approximate or precise location of individuals in order to target services to data subjects located in the EU, the organization would be subject to the GDPR.
Offering of Goods or Services
The EDPB details when an organization offers a good or service triggering application of Article 3(2). Offering services includes an information society service, which the EDPB defines by reference to the definition from the now-replaced 1995 EU Data Protection Directive: “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The EDPB also clarifies that organizations may trigger Article 3(2) regardless of whether goods or services offered are paid for or not. Citing Recital 23 of the GDPR, EDPB explains that to determine whether goods or services are directed to individuals in the Union, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
The EDBP considers both the language of the GDPR and prior CJEU holdings to articulate several factors to consider when determining whether an organization is directing goods or services to data subjects in the Union. For example, the ability to access a controller or processor’s website or contact information from within the Union or the use of a particular language, are not sufficient on their own to constitute targeting. Additional factors to consider are whether an organization:
uses a language generally used in one or more Member States;
pays a search engine to facilitate access to its site by EU consumers;
enables goods or services to be ordered in an EU currency;
conducts marketing and advertisement campaigns aimed at an EU audience;
engages in activity of an international nature, such as certain tourist activities;
mentions dedicated addresses or phone numbers reachable from an EU country;
uses top-level domain names associated with the EU such as “.de”, or “.eu”;
mentions international customers domiciled in the EU, such as reviews or endorsements written by such customers.
The EDPB notes that some of these factors by themselves, such as using an EU language on a website, may not constitute targeting, but in combination with others could lead to a conclusion of targeting.
The EDPB also clarifies that human resources management does not constitute an offer of goods or services under Article 3(2)(a) (although the presence of EU employees could be an establishment under Article 3(1)).
Monitoring Data Subject’s Behavior
If the non-EU organization is neither established in the EU, under Article 3(1), nor offering goods or services directed to data subjects in the Union under Article 3(2)(a), it may still be subject to the GDPR under Article 3(2)(b) if its processing activities are related to the monitoring of a data subject’s behavior. The EDPB explains that to trigger the GDPR, “the behavior monitored must first relate to a data subject in the Union” and the “monitored behaviour must take place within the territory of the Union. For example, if a non-EU controller develops an application or service that monitors the movements of data subjects in the EU to improve traffic patterns in a certain area, the non-EU controller is subject to the GDPR.
The EDPB also describes those factors that would be considered to determine what constitutes monitoring activities. When analyzing the processing activity to determine if it isa monitoring activity, the EDPB states that “it will be necessary to consider the controller’s purpose for processing the data, and in particular, any subsequent behavioural analysis or profiling techniques involving data.” And, the EDPB clarifies that it does not “consider that any online collection or analysis of personal data of individuals” is monitoring by default. Monitoring “implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU.”
The EDPB cites as an example behavioral monitoring as described in Recital 24 of the GDPR which involves tracking natural persons on the internet including: “a potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting his or her personal preferences, behaviors, and attitudes.”
The EDPB provides other concrete examples of activities that could be monitoring activities subjecting a non-EU organization to the GDPR under Article 3(2)(b) including:
Geo-localization activities, in particular for marketing purposes;
Market surveys and other behavioral studies based on individual profiles
Personalized diet and health analytics services online
Use of CCTV
Non-EU organizations must consider a number of factors to determine whether they are subject to the GDPR’s territorial scope. They must consider whether they have met the criterion through an “establishment” in the EU or by offering goods or services or monitoring behavior of data subjects in the EU.
Non-EU organizations, especially those that wish to avoid application of the GDPR, will benefit from analyzing how, where, and for what purpose they collect, use, transfer, and store personal data as well as how they have set up the location and data processing related activities of their establishments and related entities in light of the EDPB guidance. For example, a company that conducts online tracking through third parties might consider whether those third parties use data for profiling and whether they implement geo-blocking of EU territories. This analysis can help an organization understand their obligations under the GDPR and be the basis for strategies around processing and activity changes that could help minimize the territorial scope of the GDPR to certain data processing.
The EDPB is accepting comments on these Guidelines through 18 January 2019.
 Under Article 3(3) the GDPR may also apply where Member State law applies by virtue of public international law.