European Union: Guidelines Published By The EU Data Protection Regulator On The Territorial Scope Of The GDPR

The European Data Protection Board ("EDPB") has published its long awaited Guidelines on the GDPR's Territorial Scope ("the Guidelines") for public comment. The aim of the Guidelines is to clarify a number of open questions concerning the territorial scope of the General Data Protection Regulation ("GDPR"), and in particular, where the data controller or processor is established outside of the EU.

According to Article 3 of the GDPR, its provisions apply to:

• An EU-based controller or processor processing personal data in the context of its activities; or
• A non-EU based controller or processor processing personal data of data subjects in the EU in connection with either the offering of goods or services; or the monitoring of their behaviour taking place in the EU.

The Guidelines provide clarification for companies to assess whether all or parts of their activities will fall under the scope of the GDPR and, if so, to what extent they would be subject to the application of the GDPR. Notably, the Guidelines provide clarifications on a number of subjects that have been viewed as controversial since the enactment of the GDPR, including the following:

• Application of the GDPR to the establishment of a controller or a processor in the Union "regardless of whether the processing takes place in the Union or not". In this regard, the EDPB states that any personal data-processing in the context of the activities of an establishment of a controller or processor in the Union, would fall under the scope of the GDPR. In order to determine whether a non-EU entity has an establishment in the EU for the purpose of the GDPR, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered, in light of the specific nature of the economic activities of the services;
• A non-EU controller using an EU processor for activities outside of the EU, which does not target EU residents, is not required to comply with the GDPR. The EU processor will be subject to the relevant GDPR provisions that are directly applicable to data processors;
• Citizenship, established residency or any other type of legal status of the data subject, is irrelevant when determining the application of the targeting criteria; and
• The criteria of the appointment of an EU representative is in accordance with Article 27 of the GDPR for non-EU controllers and processors.

The Guidelines will still be subject to public comment prior to ratification.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.