Applicability of the GDPR to SA companies using EU service providers
Many South African companies make use of services provided by processors based in the EU, and often in Ireland. They are non-EU based controllers who are making use of EU based processors with an establishment located within the EU and sub-processors who may not be located in the EU. Article 3.1 defines the ‘subjective territoriality’ scope of the GDPR explicitly as being “controllers or processors” in the Union, regardless of the actual place of the processing.
If a controller established outside the Union exercises “a real and effective activity - even a minimal one” - through “stable arrangements”, regardless of its legal form (e.g. subsidiary, branch, office, agent, employee…), in the territory of a Member State, this controller will be considered to have an establishment (i.e. business operation) in that Member State and will be subject to obligations under the GDPR whenever the processing is carried out ”in the context of the activities” of its EU establishment. It is therefore important to consider whether the processing of personal data takes place “in the context of the activities of” such an EU establishment of a non-EU based controller.
Scenario 1: A tour operator in South Africa offers package deals through its website, available in English, Dutch, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU.
In this case, in the absence of any representation or stable arrangement of the tour operator within the territory of the Union, it appears that no entity linked to this data controller in South Africa can qualify as an establishment in the EU within the meaning of the GDPR. Therefore the processing at stake cannot be subject to the provisions of the GDPR, as per Article 3(1), but it may be subject to Article 3(2).
Scenario 2: A bank in South Africa has customers who are residing in South Africa with German citizenship. The bank is active only in South Africa; its activities are not directed at the EU market. In this case, the bank has no representation, stable arrangement or establishment in the EU, therefore its processing of the personal data of its German customers is not subject to the GDPR.
Scenario 3: A South African pension fund has members who, post retirement, have settled in the EU. Due to the relocation of some of its members, the pension fund makes monthly payments into bank accounts of its EU members. However, the pension fund's activities are not directed at the EU market and all its clients operate only in South Africa. In this case, the pension fund has no representation, stable arrangement or establishment in the EU, therefore its processing of the personal data of its members who reside in the EU is not subject to the GDPR.
Scenario 4: A manufacturer in South Africa has outsourced all its personal data processing activities with regards to its SA business operations to a processor in Ireland that is processing in the context of an establishment in the Union. Further, this company does not target persons on the territory of the Union through the offering of goods or services, nor does it monitor the behaviour of person on the territory of the Union.
It is clear that even though the processing relates to personal data of data subjects who are not in the Union, the subsequent processing of personal data is carried out in the context of the activities of an establishment of a processor in the Union and therefore the provisions of the GDPR will apply to the processing carried out by the processor, as per Article 3(1). What it is not certain at this point is whether the non-EU controller is subject to GDPR controller obligations.
If the means enabling the activities of a local establishment in a Member state and the data processing activities of a data controller established outside the EU can be inextricably linked (e.g. economically or organisationally), this will trigger the applicability of EU law. (Note that EU law will apply to that processing by the non-EU entity regardless of whether the EU establishment plays a role in that processing of data).
The EDPB has recommended that non-EU organisations undertake an assessment of their processing activities, first by determining whether personal data are being processed, and secondly by identifying potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the Union. If such a link is identified, the nature of this link will be key in determining whether the GDPR applies to the processing in question, and must be assessed.
Scenario 5: A group of companies in South Africa includes a subsidiary in the EU that operates completely independently in terms of personal data processing and business dynamics (such as advertising) but with overall management and financial supervision from South Africa. In this case the SA group would not come within the scope of the GDPR because the two operations do not have interdependence that relies on processing personal data.
When determining the applicability of the GDPR the European Data Protection Board (EDPB) emphasises that it is important to consider the establishment of the controller and processor separately.
The first question is whether the controller itself has an establishment in the Union, and is processing in the context of the activities of that establishment. Assuming the controller is not considered to be processing in the context of its own establishment in the Union, then the controller will not be subject to GDPR controller obligations by virtue of Article 3(1) (although it may still be subject to Article 3(2)). Unless other factors are at play, the processor’s EU establishment will not be considered to be an establishment in respect of the controller.
A separate question then arises of whether the processor is processing in the context of an establishment in the Union. If so, the processor will be subject to GDPR processor obligations. However, this does not cause the non-EU controller to become subject to the GDPR controller obligations. That is to say, a “non-EU” controller will not become subject to the GDPR simply because it chooses to use a processor in the Union.
By instructing a processor in the Union, the controller not subject to GDPR is not carrying out processing “in the context of the activities of the processor in the Union”. The processing is carried out in the context of the controller’s own activities; the processor is merely providing a processing service which is not “inextricably linked” to the activities of the controller. As stated above, in the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR as per Article 3(2), the EDPB considers that the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR merely because it is processed on its behalf by a processor established in the Union.
However, even though the data controller is not established in the Union and may not be subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1). These are:
- The obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR.
- The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law, as per Article 29 and Article 32(4).
- Where applicable, the processor shall maintain a record of all categories of processing carried out on behalf of a controller, as per Article 30(2).
- Where applicable, the processor shall, upon request, cooperate with the supervisory authority in the performance of its tasks, as per Article 31.
- The processor shall implement technical and organisational measures to ensure a level of security appropriate to the risk, as per Article 32.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach, as per Article 33.
- Where applicable, the processor shall designate a data protection officer as per Articles 37 and 38.
- The provisions on transfers of personal data to third countries or international organisations, as per Chapter V. This means that when personal data is transferred out of the EU territory, including any onward transfers thereafter, it has to continue to be treated under rules very similar to the GDPR (i.e. GDPR principles must “follow the data”).
This may cause difficulties for EU-based processors; for example, if the non-EU controller, not itself subject to the GDPR, processes personal data in a non-GDPR-compliant manner. EU-based processors may consider seeking contractual assurances from non-EU controllers to cover this risk.
In addition, Article 28(3) also specifies that “the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.” This places an additional obligation on the EU-based processor
To better understand the requirements its important to note that EU regulators are expected to write legal rules to prevent the EU becoming an unethical data ‘haven’. EU legislators and regulators would certainly not welcome any processors of personal data on EU territory that are breaking the principles of protecting natural persons from abuse of their personal data. If a non-EU controller, based in a country with a very lax approach towards personal data, and abusing personal rights, were to use EU territory for some part of the processing, this should definitely come under the control of the law.
Wish to know more about the GDPR and its applicability, or require the services of an EU-based data protection officer, email: [email protected].