We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
10 January 2020
What do you need to know?
Why should you care?
What should you do now?
On 12 November 2019 the European Data Protection Board (EDPB) adopted its final guidelines on the territorial scope of the EU General Data Protection Regulation (2016/679) (GDPR).
The EDPB is an independent EU body which aims to ensure the GDPR's consistent application in the European Union. In particular, the EDPB can adopt general guidance (including guidelines, recommendations and best practice) to clarify the terms of EU data protection laws and provide a consistent interpretation of rights and obligations thereunder.
From a territorial perspective, the GDPR can apply to data controllers and processors both inside and outside the European Union.
Article 3 of the GDPR uses two key criteria to determine territorial scope: the 'establishment' criterion and the 'targeting' criterion. In a nutshell, either a data controller or processor is established in the European Union or they are established outside the European Union but target the EU market.
Establishment of controller or processor
Triggering processing activity
Established in the European Union
The processing of personal data in the context of an establishment's activities
Not established in the European Union
The processing of the personal data of data subjects in the European Union where the processing activities relating to the offering of goods or services to such data subjects in the European Union
The processing of the personal data of data subjects in the European Union where the processing activities relating to the monitoring of their behaviour if it takes place in the European Union
A controller or processor is considered to be 'established' in the European Union if it exercises effective and real activities through stable arrangements in the European Union.
The processing of personal data is carried out in the 'context of an establishment's activities' if the activity for which the data is being processed is inextricably linked to the establishment's activities in the European Union, regardless of whether the data processing takes place in the European Union.
The term 'data subjects in the European Union' means any data subjects located in the European Union when the triggering processing activity (eg, the offering of goods or services or monitoring of behaviour) is carried out. This applies regardless of the data subjects nationality or place of residence.
A data controller or processor is considered to be offering goods or services to data subjects in the European Union if they envisage establishing commercial relations with data subjects in one or more EU member states. In particular, the following factors should be taken into account:
Binding or non-binding?
In principle, the EDPB's guidelines are not binding for companies. Nevertheless, they play an important role in the interpretation of the GDPR by the courts and data protection authorities.
Consequences of non-compliance?
If the GDPR is applied against the expectations of a company, it is unlikely that the company has taken measures to comply with it. In such cases, data protection authorities may impose fines of up to €20 million or 4% of annual turnover under Article 83 and 84 of the GDPR. Further, data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors can send cease and desist letters. Companies may also face indirect costs such as damage of reputation or management costs.
GDPR enforcement levels have been low thus far. However, enforcement is expected to increase in the long term. As the EDPB states in its guidelines, Article 3 of the GDPR reflects the legislature's aim to ensure the comprehensive protection of the rights of data subjects in the European Union and to establish a level playing field for companies acting on the EU market.
There appear to be no examples of non-compliant companies since the GDPR entered into force.
It is vital that data controllers and processors, especially those targeting the EU market, undertake a careful assessment of their processing activities to determine whether the related processing of personal data falls within the GDPR's territorial scope. The following questions can provide guidance on the next steps:
For further information on this topic please contact Constantin Herfurth at Eversheds Sutherland (Germany) LLP by telephone (+49 89 54565 295) or email (firstname.lastname@example.org). The Eversheds Sutherland (Germany) LLP website can be accessed at www.eversheds-sutherland.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.