On 23 November 2018, the European Data Protection Board (“EDPB”) – the gathering of all European Union (EU) data protection authorities – adopted new draft guidelines on territorial scope of the General Data Protection Regulation (“GDPR” – external source). The EDPB was previously known as the Article 29 Working Party.
The long awaited guidelines (“Guidelines”, available here) provide a common interpretation on the scope of application of the GDPR. Its territorial scope, laid down in Article 3 GDPR, states that GDPR applies to:
- any EU-based controller or processor processing personal data in the context of its activities (Article 3.1 GDPR); or
- any non-EU-based controller or processor processing personal data of EU residents in connection with either:
- the offer of goods or services (Article 3.2.a GDPR); or
- the monitoring of their behavior taking place in the EU (Article 3.2.b GDPR).
The Guidelines provide clarification for both EU and non-EU based companies to assess whether all or parts of their activities would fall under the scope of the GDPR and to what extent they would be subject to the application of the GDPR.
Notably, the Guidelines clarified aspects which had been subject to controversy or misinterpretation in the six months since GDPR’s entry into force, such as:
- A non-EU controller using an EU processor for activities outside of the EU not targeting EU residents does not have to comply with GDPR. An EU processor will be subject to the relevant GDPR provisions directly applicable to data processors;
- The irrelevancy of the “targeting” criterion when considering applicability of the GDPR to monitoring activities; and
- Citizenship, established residency or other type of legal status of the data subject is irrelevant to determine the application of the targeting criterion.
Moreover, the Guidelines also clarified the criteria of the appointment of an EU representative defined in Article 27 GDPR for non-EU controllers and processors.
The Guidelines will still be subject to a public consultation before being revised and ultimately adopted in a final version.
K&L Gates’ Data Protection team remains at your disposal to assist you in the completion of your contributions, which will need to be submitted before 18 January 2019.