We previously posted about the territorial scope of the EU’s General Data Protection Regulation (“GDPR”). Last month, the European Data Protection Board issued draft Guidelines to help companies outside of the EU determine whether the GDPR applies to them. Here are some key provisions:
Establishment in the EU
Under Article 3(1), controllers and processors established in the EU are subject to the GDPR, regardless of whether the processing takes place in the EU or not”. Among other things, the Guidelines clarify the meaning of “establishment” in the EU. Consistent with prior case law, a controller or processor will be considered to have an establishment in the EU if it exercises a real and effective activity (even a minimal one) through stable arrangements in the territory of an EU member state. This is determined by the specific nature of the economic activities and the provision of services concerned. Significantly, the presence of one single employee or agent in an EU member state could be considered an “establishment” in the EU regardless of its legal form (e.g., subsidiary, branch, office, etc.).
The Guidelines direct that processing activities be assessed separately for controllers and processor. A processor established in the EU must comply with the GDPR even if they are processing data for a controller outside of the EU. That outsourcing relationship does not automatically subject the non-EU controller to the GDPR. Likewise, a non-EU-based processor does not fall under the GDPR solely because it processes personal data for a GDPR-covered data controller. Nevertheless, non-EU processors may be contractually obligated to comply with the GDPR. Indeed, the Guidelines encourage GDRP-covered data controllers to enter into such contractual relationships with processors.
Targeting Individuals in the EU
Per Article 3(2), controllers and processors that target individuals in the EU will be subject to the GDPR even if they are not established in the EU. The Guidelines set out a two-step approach to evaluate whether the “targeting” criterion applies:
- Does the processing relate to personal data of data subjects in the EU?
- Does the data relate to the offering of goods and services or to the monitoring of data subjects before in the EU?
Data Subject in the EU. According to the Guidelines, the GDPR applies to any person located in the EU whose information is collected, regardless of their nationality or legal status. The requirement that the individual be “located in the EU” must be assessed at the moment the relevant trigger activity takes place, i.e., the moment of offering goods or services or the moment when the behavior is monitored, regardless of the duration of that offering or monitoring. This would include tourists who happen to be in the EU at the moment their personal data is collected.
Offering Goods and Services. A controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers in order to be considered “targeting” individuals in the EU with offers for goods and services.
The Guidelines list several factors that should be taken into account in determining whether an intention to offer goods and services exists, including: whether an EU member state is designated by name; whether the controller or processor has launched an advertising or marketing campaign in the EU; mention of dedicated addresses or phone numbers reachable from an EU country; travel instructions from the EU to the place where the service is provided; use of language or currency commonly used in the EU; and whether goods are delivered in EU countries.
Monitoring. A controller or processor is “targeting” individuals in the EU by monitoring their behavior if the monitored behavior relates to an individual in the EU and takes place in the EU. According to the Guidelines, “monitoring” encompasses: behavioral advertisements; online tracking; CCTV; personalized diet and health analytic services online; market surveys or other behavioral studies based on individual profiles; and regular reporting on an individual’s health status. The Guidelines emphasize the importance of the purpose for which the monitoring is done, suggesting that the inadvertent monitoring of an individual in the EU would not trigger application of the GDPR.
The full text of the proposed Guidelines is available here. The Guidelines are open for public comment until January 18, 2019.
If you have questions regarding whether the GDPR covers your business, please contact Kristen Hilton at firstname.lastname@example.org or 503-227-1111.