Article 3 GDPR: Difference between revisions
m (→Legal Text) |
|||
(12 intermediate revisions by 5 users not shown) | |||
Line 203: | Line 203: | ||
The first two paragraphs of Article 3 GDPR define the territorial scope of the Regulation on the basis of two main criteria: | The first two paragraphs of Article 3 GDPR define the territorial scope of the Regulation on the basis of two main criteria: | ||
* the establishment of a controller or a processor in the Union or | * the establishment of a controller or a processor in the Union; or | ||
* being active on the EU market by offering services or goods or monitoring behavior. | * being active on the EU market by offering services or goods or monitoring behavior. | ||
Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data. | Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data. | ||
The third paragraph confirms the application of the GDPR to processing activities to which “''Member State law applies by virtue of public international law''”,<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> such as an embassy of an EU Member State in a third country. | The third paragraph confirms the application of the GDPR to processing activities to which “''Member State law applies by virtue of public international law''”,<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> such as an embassy of an EU Member State in a third country.<blockquote><u>EDPB Guidelines:</u> for this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3_en Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR]; and [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation].</blockquote> | ||
=== (1) Establishment in the Union === | === (1) Establishment in the Union === | ||
The GDPR does not provide a definition of | The GDPR does not provide a definition of 'establishment' for the purpose of Article 3. | ||
==== Establishment of a | ==== Establishment of a controller in the Union ==== | ||
The application of this provision | The application of this provision depends on two rather broad concepts: the 'controller''<nowiki/>''', which may include natural or legal persons, public authorities, agencies or other bodies (see details under [[Article 4 GDPR|Article 4(7) GDPR]]); and one or more 'establishments' of said controller in the Union. <blockquote>{{Quote-common-mistake|It is important to note that the GDPR, like other EU law, merely uses the term 'Union', even if the GDPR applies to the entire European Economic Area (EEA), which includes not only the 27 EU Member States, but also Norway, Iceland and Lichtenstein. EU law, including the GDPR, may also apply to overseas territories of Member States. The details differ per territory.}}</blockquote>An 'establishment' does not need to be a separate legal entity in the European Union. It may also be just an office or other form of activity in the Union. Recital 22 states that the “''[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect''”.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> According to the European Data Protection Board (EDPB), "''[t]his wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term 'establishment', departing from a formalistic approach whereby undertakings are established solely in the place where they are registered''".<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> In particular, in [[CJEU - C‑230/14 - Weltimmo|C‑230/14 - ''Weltimmo'']] the CJEU extended the definition of establishment “''to any real and effective activity - even a minimal one - exercised through stable arrangements''”.<ref>CJEU, Case C-230/14, ,''Weltimmo'', 1 October 2015, margin number 31 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref><blockquote>{{Quote-example|A subsidiary of a US car manufacturer in Belgium supervises its European activities, including marketing and advertising. The Belgian subsidiary operates through a 'stable arrangement' since it carries out activities which are genuine and instrumental to the main economic activity of the US headquarters. As such, it can be seen as an 'establishment' under the GDPR.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>}}</blockquote>The EDPB pointed out that the threshold for 'stable arrangement' is quite low. Indeed, it could be met by the simple presence of a single employee or agent of a non-EU entity in the Union - if that employee or agent acts with a sufficient degree of stability. | ||
{{Quote-EDPB|"The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 6.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
However, this concept is not 'without limit' and cannot lead to the conclusion that a "''non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union''”.<ref>CJEU, Case C-191/15, ''Verein für Konsumenteninformation'', 28 July 2016, margin number 76 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> Equally, the mere placement of data processing equipment in the EU is not an 'establishment', as there is no human activity. | |||
In conclusion, if a controller or processor established outside the Union exercises “''a real and effective activity - even a minimal one''” - through 'stable arrangement', regardless of its legal form (e.g. subsidiary, branch, office), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State.<ref>''Klar'', in Kühling/Buchner, DS-GVO BDSG, Article 3 GDPR, margin number 46 (C.H. Beck 2020, 3rd Edition)</ref> <blockquote>{{Quote-common-mistake|The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established within or outside the Union, and whether a non-EU controller or processor has an establishment in the Union.}}</blockquote> | |||
====Linking processing and EU establishment: “''in the context of the activities''”==== | |||
An establishment in the Union may be considered irrelevant if, and only if, the establishment is not related to the processing of personal data. <blockquote>{{Quote-example|A Brazilian company operates in different areas. It has an IT operation that is only active in South America, but also owns a construction company in the EU. The IT operation does not fall under the GDPR, just because there is an unrelated establishment in the EU.}}</blockquote>Article 3(1) confirms that it is not necessary that the processing in question is carried out 'by' the relevant EU establishment itself. The controller or processor will be subject to obligations under the GDPR whenever the processing is carried out 'in the context of the activities' of its relevant establishment in the Union. In this regard, the CJEU has followed a broad interpretation and already provided some guidance. <blockquote>In [[CJEU - C-210/16 - Wirtschaftsakademie|C-210/16 - ''Wirtschaftsakademie'']], the CJEU stated (with regard to the previous Directive 95/46/EC) that processing carried out in the context of the activities of the controller’s establishment “''cannot be interpreted restrictively''” and that processing “''does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment''”.<ref name=":0">CJEU, Case C131/12 ''Google Spain'' 13 May 2014 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=6D00A24D093BED699922F94A485E59AD?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=594393 here]).</ref> In [[CJEU - C‑230/14 - Weltimmo|C‑230/14 - ''Weltimmo'']] the CJEU confirmed that the concept “''cannot be interpreted restrictively''”.<ref>CJEU, Case C-230/14, ,''Weltimmo'', 1 October 2015, margin number 31 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> In [[CJEU - C‑131/12 - Google Spain|C‑131/12 - ''Google Spain'']] Google US had a sales office in Spain, selling advertisement of the US mother company. While the local office was not itself processing personal data of users, nonethleless, the CJEU found that this was an establishment sufficiently linked with the search engine to make Directive 95/46/EG applicable.<ref name=":0" /></blockquote>EDPB Guidelines suggests that two factors may help in determining whether processing occurs in the context of an establishment in the Union: | |||
* The first one is the relationship between the non-EU entity and its local establishment in the Union. If a case-by-case analysis on the facts shows that there is an 'inextricable link' between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data. | |||
*The second factor concerns whether or not the local establishment in the EU contributes to the revenues of the non-EU entity. This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
At the same time, the EDPB has stated that this requirement should not be interpreted too broadly so as to conclude that the existence of any presence in the EU, with even the remotest links to the data processing activities of a non-EU entity, will be sufficient to bring this processing within the scope of EU data protection law. <blockquote>{{Quote-EDPB|"On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. Some commercial activity carried out by a non-EU entity within a Member State may indeed be so far removed from the processing ofpersonal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 7.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}}{{Quote-example|When an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6-7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>}}</blockquote> | |||
===(2) Activity in the Union=== | |||
==== Data subject located in the Union==== | |||
If the controller or the processor is not established in the EU, the GDPR can nonetheless be triggered if personal data of individuals located in the Union are being processed. <blockquote>{{Quote-example|A Chinese citizen is located in Berlin. If their behaviour is monitored by an app, the GDPR applies.}}</blockquote>In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers any natural person located in the Union to the extent that they are subject to processing, as described in Article 3(2)(a) and (b) GDPR.<blockquote>{{Quote-common-mistake|The application of the GDPR does in no way depend on the citizenship of data subjects. Given that the fundamental right to data protection under Article 8 of the Charter is a human right, it applies to all humans equally.}}</blockquote>The requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored (letters (a) and (b) below). The processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 14-15 (available here). This is also confirmed by Recital 23 GDPR, which states that “''in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union''.”</ref> | |||
====Relation with offering of goods or services, or the monitoring of behaviour ==== | |||
Just having a data subject that is located in the Union is however not enough. In addition, the processing has to 'relate to' one of two alternatives to make the GDPR applicable. Merely relating to an activity is again calling for a wide interpretation. The processing must not be 'aimed at', be 'necessary for' or alike, but must merely 'relate to' one of the following activities: | |||
=== ( | =====(a) Offering of goods or services===== | ||
The concept of 'goods and services' has been clarified in EU law (e.g. [https://eur-lex.europa.eu/eli/dir/2006/123/oj Directive 2006/123/EC on services in the internal market]) and case law, ''inter alia'' on the interpretation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT Articles 28 to 37 and 56 to 62 TFEU]. 'Goods' are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.<ref>E.g. CJEU, Case C-7/68, ''Commission v Italy'', 10 December 1968 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=87685&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583) here]); CJEU, Case C-50/80, ''Horvath'', 5 February 1981 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=90857&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]); CJEU, Case C-421/09, ''Humanplasma'', 9 December 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=83855&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> 'Services' are activities developed by the provider and directed to a recipient, typically for remuneration.<ref>CJEU, Case C-263/86, ''Humbel and Edel'', 27 September 1988 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=94935&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> This includes “''any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''”;<ref>Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L1535 here]).</ref> as also supported by the EDPB.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 16 (available here) referring to Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
==== | ======Limitation to 'apparent' offering of goods and services====== | ||
Recital 23 GDPR highlights that it must be 'apparent' that the controller or processor is offering goods or services in the EU. This limitation is not directly supported by the text of the GDPR. | |||
Typical signs that a controller or processor apparently offers goods and services in Europe are, for example: the offering of languages that are not typically spoken in third countries (like German, Polish, Italian or Scandinavian Languages); the option to pay in Euros or other local currencies in the Union; the use of a Top Level Domain that is linked to an EU Member State (such as ".fr"); or the option to have goods delivered to the EU. The mere possibility that the website of a controller or processor can be visited is not in itself sufficient to prove intention to offer goods or services. <blockquote>{{Quote-example|The website of a local newspaper in Canada can be accessed from the EU. The newspaper only covers local stories, does not offer subscriptions outside of the local province and does not have advertisement aimed at EU residents. The GDPR does not apply to the local newspaper. At the same time a major global newspaper like the New York Times would clearly serve the European market and must apply the GDPR in relation to data subjects based in the EU.}}{{Quote-example|Example: An online shop from Chile offers products worldwide. Products are offered to anyone in the EU and the goods are shipped to European addresses and payable in Euro. The shop is available in Spanish, but also in English, French, German, Polish and Italian. The GDPR applies to this online shop.}}</blockquote>The matter of sufficient targeting of a local market is debated in relation to Article 17(1)(c) of the Brussels-I-Regulation 1215/2012, which regulates the jurisdiction of national courts in consumer contracts. There is a body of case law defining if a company "directs activities" towards a Member State. This case law seems to be instructive in the interpretation of Recital 23 GDPR. | |||
======No limitation to paid goods and services====== | |||
Contrary to the usual definition of good and services, the GDPR clarifies that processing is covered "''irrespective of whether a payment of the data subject is required''". This is intended to ensure that many free services that use personal data as an alternative revenue stream are also covered by the GDPR, if these services are offered on the European market.<blockquote>{{Quote-example|A small online games provider from Turkey offers a game that is free to use and makes profits with advertisement in the game. It is very popular in Germany among the large Turkish diaspora. The GDPR applies to the processing of personal data of these users.}}</blockquote> | |||
===== | =====(b) The Monitoring of data subjects' behaviour===== | ||
The GDPR also becomes applicable if the behaviour of persons based in the EU is monitored. This is especially relevant for online advertisement and other business models that are based on user tracking. | The GDPR also becomes applicable if the behaviour of persons based in the EU is monitored. This is especially relevant for online advertisement and other business models that are based on user tracking. | ||
The monitoring of data subjects’ behaviour is not defined in the GDPR. Recital 24 GDPR nevertheless clarifies that “[i] | The monitoring of data subjects’ behaviour is not defined in the GDPR. Recital 24 GDPR nevertheless clarifies that “''[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes''”. The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, for instance, tracking through the use of wearables or smart devices.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | ||
=== (3) Public | ===(3) Public international law=== | ||
The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law. Recital 25 GDPR gives the example of processing taking place in a “''Member State’s diplomatic mission or consular post''”. The EDPB gives as a further example the case of a German cruise ship travelling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law. Recital 25 GDPR gives the example of processing taking place in a “''Member State’s diplomatic mission or consular post''”. The EDPB gives as a further example the case of a German cruise ship travelling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | ||
===Interaction with | ===Interaction with national laws=== | ||
The GDPR is not an isolated law. In many ways controllers, processors and data subjects are also subject to various other national, EU or even international laws. | The GDPR is not an isolated law. In many ways controllers, processors and data subjects are also subject to various other national, EU or even international laws. | ||
==== Opening | ====Opening clauses under the GDPR==== | ||
The GDPR sometimes provides for national | The GDPR sometimes provides for national 'opening clauses', so that Member States can regulate certain - especially sensitive - aspects of data processing nationally. For example, matters of freedom of speech, data processing in the employment context, or freedom of information are left to the Member States in [https://gdprhub.eu/index.php%3Ftitle=Article_85_GDPR Articles 85] to [https://gdprhub.eu/index.php%3Ftitle=Article_91_GDPR 91] GDPR. Equally, the Member States can implement restrictions on the rights under various Articles, if these restrictions are in the public interest of the Member State ([[Article 23 GDPR]]). | ||
Despite early criticism, the GDPR does not regulate the territorial application of such opening clauses or restrictions, but leaves them to national law itself. In the case of most national law that uses a restriction or opening clauses, you have to refer to the territorial scope of the national law, or even general rules of international law to determine its application. <blockquote>{{Quote-example|The Austrian Data Protection Act ('Datenschutzgesetz') regulates the use of personal data by journalists in § 9 Data Protection Act, as made possible by the opening clause in [[Article 85 GDPR]]. The Austrian law does not, however, specify the geographic application of the Data Protection Act. Under Article 49 of the Austrian Constitution, Austrian laws generally apply to the territory of Austria. It is unclear if Austrian journalists can use this privilege when publishing personal data in other Member States, or if journalists of other Member States have to follow the law of Austria if their journalistic activity expands to the territory of Austria.}}</blockquote>Similar examples can be found in many situations where opening clauses are used in cross-border contexts and requires additional research on the territorial application of national laws using such opening clauses. | |||
====References to national law==== | |||
A similar issue occurs when the GDPR simply refers to applicable national law as a preliminary question under a GDPR provision. In some situations where the GDPR refers to national law, such as contract law in [https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6(1)(b) GDPR] there are existing EU law provisions, like the Rome-I-Regulation (EC) No 593/2008 on the applicable contractual law. <blockquote>{{Quote-example|A controller is located in Germany, the data subject is a consumer and located in Spain. Under EU regulations, Spanish law provisions for consumer protection apply. To determine if processing is necessary for a specific contract under Article 6(1)(b) GDPR, the controller has to determine if the contract it has formed with the consumer is even valid under Spanish consumer protection law.}}</blockquote>Equally, you would have to consider applicable Member State law to determine if any processing of personal data is 'necessary' to comply with such an obligation under [https://gdprhub.eu/index.php%3Ftitle=Article_6_GDPR Article 6(1)(c) or (e) GDPR]. Usually provisions in national law, EU law, or international law regulate the scope of such laws.<blockquote>{{Quote-example|A controller is located in Member State A for tax reasons, but has subsidiaries with workers in Member States B and C. The controller may have to apply the income tax of Member State A, but also the employment tax law as well as the worker protection laws of A, B and C. Different processing of personal data may be 'necessary' depending on the legal requirements in each Member State.}}</blockquote> | |||
==Decisions== | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 3 GDPR]] | → You can find all related decisions in [[:Category:Article 3 GDPR]] |
Latest revision as of 11:24, 31 October 2024
Legal Text
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Relevant Recitals
Commentary
The first two paragraphs of Article 3 GDPR define the territorial scope of the Regulation on the basis of two main criteria:
- the establishment of a controller or a processor in the Union; or
- being active on the EU market by offering services or goods or monitoring behavior.
Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data.
The third paragraph confirms the application of the GDPR to processing activities to which “Member State law applies by virtue of public international law”,[1] such as an embassy of an EU Member State in a third country.
EDPB Guidelines: for this Article, please see Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR; and EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation.
(1) Establishment in the Union
The GDPR does not provide a definition of 'establishment' for the purpose of Article 3.
Establishment of a controller in the Union
The application of this provision depends on two rather broad concepts: the 'controller', which may include natural or legal persons, public authorities, agencies or other bodies (see details under Article 4(7) GDPR); and one or more 'establishments' of said controller in the Union.
Common mistake: It is important to note that the GDPR, like other EU law, merely uses the term 'Union', even if the GDPR applies to the entire European Economic Area (EEA), which includes not only the 27 EU Member States, but also Norway, Iceland and Lichtenstein. EU law, including the GDPR, may also apply to overseas territories of Member States. The details differ per territory.
An 'establishment' does not need to be a separate legal entity in the European Union. It may also be just an office or other form of activity in the Union. Recital 22 states that the “[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.[2] According to the European Data Protection Board (EDPB), "[t]his wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term 'establishment', departing from a formalistic approach whereby undertakings are established solely in the place where they are registered".[3] In particular, in C‑230/14 - Weltimmo the CJEU extended the definition of establishment “to any real and effective activity - even a minimal one - exercised through stable arrangements”.[4]
For example: A subsidiary of a US car manufacturer in Belgium supervises its European activities, including marketing and advertising. The Belgian subsidiary operates through a 'stable arrangement' since it carries out activities which are genuine and instrumental to the main economic activity of the US headquarters. As such, it can be seen as an 'establishment' under the GDPR.[5]
The EDPB pointed out that the threshold for 'stable arrangement' is quite low. Indeed, it could be met by the simple presence of a single employee or agent of a non-EU entity in the Union - if that employee or agent acts with a sufficient degree of stability.
"The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR."
However, this concept is not 'without limit' and cannot lead to the conclusion that a "non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union”.[6] Equally, the mere placement of data processing equipment in the EU is not an 'establishment', as there is no human activity.
In conclusion, if a controller or processor established outside the Union exercises “a real and effective activity - even a minimal one” - through 'stable arrangement', regardless of its legal form (e.g. subsidiary, branch, office), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State.[7]
Common mistake: The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established within or outside the Union, and whether a non-EU controller or processor has an establishment in the Union.
Linking processing and EU establishment: “in the context of the activities”
An establishment in the Union may be considered irrelevant if, and only if, the establishment is not related to the processing of personal data.
Article 3(1) confirms that it is not necessary that the processing in question is carried out 'by' the relevant EU establishment itself. The controller or processor will be subject to obligations under the GDPR whenever the processing is carried out 'in the context of the activities' of its relevant establishment in the Union. In this regard, the CJEU has followed a broad interpretation and already provided some guidance.
In C-210/16 - Wirtschaftsakademie, the CJEU stated (with regard to the previous Directive 95/46/EC) that processing carried out in the context of the activities of the controller’s establishment “cannot be interpreted restrictively” and that processing “does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment”.[8] In C‑230/14 - Weltimmo the CJEU confirmed that the concept “cannot be interpreted restrictively”.[9] In C‑131/12 - Google Spain Google US had a sales office in Spain, selling advertisement of the US mother company. While the local office was not itself processing personal data of users, nonethleless, the CJEU found that this was an establishment sufficiently linked with the search engine to make Directive 95/46/EG applicable.[8]
EDPB Guidelines suggests that two factors may help in determining whether processing occurs in the context of an establishment in the Union:
- The first one is the relationship between the non-EU entity and its local establishment in the Union. If a case-by-case analysis on the facts shows that there is an 'inextricable link' between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data.
- The second factor concerns whether or not the local establishment in the EU contributes to the revenues of the non-EU entity. This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located.[10]
At the same time, the EDPB has stated that this requirement should not be interpreted too broadly so as to conclude that the existence of any presence in the EU, with even the remotest links to the data processing activities of a non-EU entity, will be sufficient to bring this processing within the scope of EU data protection law.
"On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. Some commercial activity carried out by a non-EU entity within a Member State may indeed be so far removed from the processing ofpersonal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law."
For example: When an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR.[11]
(2) Activity in the Union
Data subject located in the Union
If the controller or the processor is not established in the EU, the GDPR can nonetheless be triggered if personal data of individuals located in the Union are being processed.
In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers any natural person located in the Union to the extent that they are subject to processing, as described in Article 3(2)(a) and (b) GDPR.
The requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored (letters (a) and (b) below). The processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally.[12]
Relation with offering of goods or services, or the monitoring of behaviour
Just having a data subject that is located in the Union is however not enough. In addition, the processing has to 'relate to' one of two alternatives to make the GDPR applicable. Merely relating to an activity is again calling for a wide interpretation. The processing must not be 'aimed at', be 'necessary for' or alike, but must merely 'relate to' one of the following activities:
(a) Offering of goods or services
The concept of 'goods and services' has been clarified in EU law (e.g. Directive 2006/123/EC on services in the internal market) and case law, inter alia on the interpretation of Articles 28 to 37 and 56 to 62 TFEU. 'Goods' are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.[13] 'Services' are activities developed by the provider and directed to a recipient, typically for remuneration.[14] This includes “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”;[15] as also supported by the EDPB.[16]
Limitation to 'apparent' offering of goods and services
Recital 23 GDPR highlights that it must be 'apparent' that the controller or processor is offering goods or services in the EU. This limitation is not directly supported by the text of the GDPR.
Typical signs that a controller or processor apparently offers goods and services in Europe are, for example: the offering of languages that are not typically spoken in third countries (like German, Polish, Italian or Scandinavian Languages); the option to pay in Euros or other local currencies in the Union; the use of a Top Level Domain that is linked to an EU Member State (such as ".fr"); or the option to have goods delivered to the EU. The mere possibility that the website of a controller or processor can be visited is not in itself sufficient to prove intention to offer goods or services.
For example: The website of a local newspaper in Canada can be accessed from the EU. The newspaper only covers local stories, does not offer subscriptions outside of the local province and does not have advertisement aimed at EU residents. The GDPR does not apply to the local newspaper. At the same time a major global newspaper like the New York Times would clearly serve the European market and must apply the GDPR in relation to data subjects based in the EU.
For example: Example: An online shop from Chile offers products worldwide. Products are offered to anyone in the EU and the goods are shipped to European addresses and payable in Euro. The shop is available in Spanish, but also in English, French, German, Polish and Italian. The GDPR applies to this online shop.
The matter of sufficient targeting of a local market is debated in relation to Article 17(1)(c) of the Brussels-I-Regulation 1215/2012, which regulates the jurisdiction of national courts in consumer contracts. There is a body of case law defining if a company "directs activities" towards a Member State. This case law seems to be instructive in the interpretation of Recital 23 GDPR.
No limitation to paid goods and services
Contrary to the usual definition of good and services, the GDPR clarifies that processing is covered "irrespective of whether a payment of the data subject is required". This is intended to ensure that many free services that use personal data as an alternative revenue stream are also covered by the GDPR, if these services are offered on the European market.
(b) The Monitoring of data subjects' behaviour
The GDPR also becomes applicable if the behaviour of persons based in the EU is monitored. This is especially relevant for online advertisement and other business models that are based on user tracking.
The monitoring of data subjects’ behaviour is not defined in the GDPR. Recital 24 GDPR nevertheless clarifies that “[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”. The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, for instance, tracking through the use of wearables or smart devices.[17]
(3) Public international law
The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law. Recital 25 GDPR gives the example of processing taking place in a “Member State’s diplomatic mission or consular post”. The EDPB gives as a further example the case of a German cruise ship travelling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.[18]
Interaction with national laws
The GDPR is not an isolated law. In many ways controllers, processors and data subjects are also subject to various other national, EU or even international laws.
Opening clauses under the GDPR
The GDPR sometimes provides for national 'opening clauses', so that Member States can regulate certain - especially sensitive - aspects of data processing nationally. For example, matters of freedom of speech, data processing in the employment context, or freedom of information are left to the Member States in Articles 85 to 91 GDPR. Equally, the Member States can implement restrictions on the rights under various Articles, if these restrictions are in the public interest of the Member State (Article 23 GDPR).
Despite early criticism, the GDPR does not regulate the territorial application of such opening clauses or restrictions, but leaves them to national law itself. In the case of most national law that uses a restriction or opening clauses, you have to refer to the territorial scope of the national law, or even general rules of international law to determine its application.
For example: The Austrian Data Protection Act ('Datenschutzgesetz') regulates the use of personal data by journalists in § 9 Data Protection Act, as made possible by the opening clause in Article 85 GDPR. The Austrian law does not, however, specify the geographic application of the Data Protection Act. Under Article 49 of the Austrian Constitution, Austrian laws generally apply to the territory of Austria. It is unclear if Austrian journalists can use this privilege when publishing personal data in other Member States, or if journalists of other Member States have to follow the law of Austria if their journalistic activity expands to the territory of Austria.
Similar examples can be found in many situations where opening clauses are used in cross-border contexts and requires additional research on the territorial application of national laws using such opening clauses.
References to national law
A similar issue occurs when the GDPR simply refers to applicable national law as a preliminary question under a GDPR provision. In some situations where the GDPR refers to national law, such as contract law in Article 6(1)(b) GDPR there are existing EU law provisions, like the Rome-I-Regulation (EC) No 593/2008 on the applicable contractual law.
For example: A controller is located in Germany, the data subject is a consumer and located in Spain. Under EU regulations, Spanish law provisions for consumer protection apply. To determine if processing is necessary for a specific contract under Article 6(1)(b) GDPR, the controller has to determine if the contract it has formed with the consumer is even valid under Spanish consumer protection law.
Equally, you would have to consider applicable Member State law to determine if any processing of personal data is 'necessary' to comply with such an obligation under Article 6(1)(c) or (e) GDPR. Usually provisions in national law, EU law, or international law regulate the scope of such laws.
For example: A controller is located in Member State A for tax reasons, but has subsidiaries with workers in Member States B and C. The controller may have to apply the income tax of Member State A, but also the employment tax law as well as the worker protection laws of A, B and C. Different processing of personal data may be 'necessary' depending on the legal requirements in each Member State.
Decisions
→ You can find all related decisions in Category:Article 3 GDPR
References
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
- ↑ CJEU, Case C-230/14, ,Weltimmo, 1 October 2015, margin number 31 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 7 (available here).
- ↑ CJEU, Case C-191/15, Verein für Konsumenteninformation, 28 July 2016, margin number 76 (available here).
- ↑ Klar, in Kühling/Buchner, DS-GVO BDSG, Article 3 GDPR, margin number 46 (C.H. Beck 2020, 3rd Edition)
- ↑ 8.0 8.1 CJEU, Case C131/12 Google Spain 13 May 2014 (available here).
- ↑ CJEU, Case C-230/14, ,Weltimmo, 1 October 2015, margin number 31 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6-7 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 14-15 (available here). This is also confirmed by Recital 23 GDPR, which states that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
- ↑ E.g. CJEU, Case C-7/68, Commission v Italy, 10 December 1968 (available here); CJEU, Case C-50/80, Horvath, 5 February 1981 (available here); CJEU, Case C-421/09, Humanplasma, 9 December 2010 (available here).
- ↑ CJEU, Case C-263/86, Humbel and Edel, 27 September 1988 (available here).
- ↑ Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 16 (available here) referring to Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available here).