GDPR: Territorial scope.

The GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” (Art. 3(1))

In?Weltimmo v NAIH?(C-230/14), the meaning of “establishment” was considered by the Court of Justice of The European Union. The Court confirmed that establishment is a “broad” and “flexible” phrase. The Court ruled that “it should be considered that the concept of ‘establishment’, within the meaning of Directive 95/46, extends to any real and effective activity — even a minimal one — exercised through stable arrangements.”

In?Google Spain SL, Google Inc. v Agencia Espa?ola de Protección de Datos, Mario Costeja González?(C-131/12), the Court found that “the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”

Furthermore, according to Recital 2 of the GDPR, “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should,?whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”

The GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union (Art. 3(2)(a)); or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union."(Art. 3(2)(b)).

The GDPR makes it clear that “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.” (Recital 23). Factors such as offering a service in the languages or currencies used in one or more Member States or mentioning customers or users in a Member State may trigger the application of the GDPR. What constitutes offering “goods or services” should be determined on a case-by-case basis.

Recital 24 states that “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” The term “data subjects who are in the Union” suggests that the GDPR applies to all citizens within the Union whatever their nationality or residence i.e., American tourists. However, where organisations have no EU presence, enforcement may be difficult.

Finally, the GDPR “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” (Art 3(3)) In practice, the circumstances where this will apply are rare. Recital 25 gives the example of a Member State’s diplomatic mission or consular post.

If you would like to discuss the topic of GDPR readiness in more detail or outsource your DPO role to us, please feel free to get in touch: [email protected]

If you found this article useful, please feel free to like, connect with(or follow me) and share with others.