Article 3 GDPR: Difference between revisions
Line 203: | Line 203: | ||
===(1) Controller or Processor Established in the Union === | ===(1) Controller or Processor Established in the Union === | ||
The GDPR does not define the term "establishment." Recital 22 states that: <blockquote>“''[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect''”. </blockquote>This very closely resembles the | The GDPR does not define the term "establishment." Recital 22 states that: <blockquote>“''[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect''”. </blockquote>This very closely resembles the CJEU - C-230/14 - Weltimmo case, according to which an establishment extends “''to any real and effective activity — even a minimal one — exercised through stable arrangements''”.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).</ref> In its guidelines, the EDPB reminded that the wording was not new as it was identical to Recital 19 of [https://eur-lex.europa.eu/eli/dir/1995/46/oj Directive 95/46/EC].<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 8. | ||
</ref> It also pointed out that although the threshold for “stable arrangement” is quite low in the context of online activities and that the notion of “establishment” is broad, it cannot lead to the conclusion that a “''non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union''”.<ref>CJEU, 28 July 2016, Verein für Konsumenteninformation, C‑191/15, margin number 76 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583). </ref> | </ref> It also pointed out that although the threshold for “stable arrangement” is quite low in the context of online activities and that the notion of “establishment” is broad, it cannot lead to the conclusion that a “''non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union''”.<ref>CJEU, 28 July 2016, Verein für Konsumenteninformation, C‑191/15, margin number 76 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583). </ref> | ||
Line 209: | Line 209: | ||
The meaning of “''in the context of the activities''” has to be interpreted broadly, as confirmed by judgments of the CJEU: | The meaning of “''in the context of the activities''” has to be interpreted broadly, as confirmed by judgments of the CJEU: | ||
In | In CJEU - C-131/12 - Google Spain the Court determined with regard to Directive 95/46/EC that the activity of a search engine is to be classified as “processing of personal data”. It found that <blockquote>“''inasmuch as the data processing carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites and affects the data subject’s fundamental rights additionally, the operator of the search engine as the controller in respect of that processing must ensure, within the framework of its responsibilities, powers and capabilities, that that processing meets the requirements of Directive 95/46, in order that the guarantees laid down by the directive may have full effect''”.<ref>CJEU, 13 May 2014, Google Spain, C‑131/12, margin number 83 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).</ref></blockquote>The Court explained that both terms “processing” and “controller” must be interpreted broadly as to not "''largely deprive the Directive of its effect''” and "''to ensure effective and complete protection of data subjects''”.<ref>CJEU, 13 May 2014, Google Spain, C‑131/12, margin numbers 30 and 34 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).</ref> | ||
In | In CJEU - C-230/14 - Weltimmo, the Court stated with regard to Directive 95/46/EC that "''<nowiki/>'in the context of the activities of an establishment’ cannot be interpreted restrictively''".<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 25 (available here <nowiki>https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583</nowiki>).</ref> | ||
In | In CJEU - C-210/16 - Wirtschaftsakademie Schleswig-Holstein, the Court stated with regard to Directive 95/46/EC that processing carried out in the context of the activities of the controller’s establishment “''cannot be interpreted restrictively''” and that processing “''does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment''”.<ref>CJEU, 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, margin numbers 56 and 57 (available here <nowiki>https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583</nowiki>).</ref> | ||
At the same time, the EDPB has stated that the requirement "''should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law''".<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7.</ref> The EDPB suggests that (i) the relationship between a data controller or processor outside the Union and its local establishment in the Union and (ii) revenue raising in the Union by a local establishment may help in determining whether processing by a non-EU entity occurs in the context of its establishment in the Union.<ref>EDPB guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019, p. 8.</ref> | At the same time, the EDPB has stated that the requirement "''should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law''".<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7.</ref> The EDPB suggests that (i) the relationship between a data controller or processor outside the Union and its local establishment in the Union and (ii) revenue raising in the Union by a local establishment may help in determining whether processing by a non-EU entity occurs in the context of its establishment in the Union.<ref>EDPB guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019, p. 8.</ref> |
Revision as of 12:48, 15 September 2021
Legal Text
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Relevant Recitals
Commentary on Article 3
(1) Controller or Processor Established in the Union
The GDPR does not define the term "establishment." Recital 22 states that:
“[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.
This very closely resembles the CJEU - C-230/14 - Weltimmo case, according to which an establishment extends “to any real and effective activity — even a minimal one — exercised through stable arrangements”.[1] In its guidelines, the EDPB reminded that the wording was not new as it was identical to Recital 19 of Directive 95/46/EC.[2] It also pointed out that although the threshold for “stable arrangement” is quite low in the context of online activities and that the notion of “establishment” is broad, it cannot lead to the conclusion that a “non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union”.[3]
The meaning of “in the context of the activities” has to be interpreted broadly, as confirmed by judgments of the CJEU:
In CJEU - C-131/12 - Google Spain the Court determined with regard to Directive 95/46/EC that the activity of a search engine is to be classified as “processing of personal data”. It found that
“inasmuch as the data processing carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites and affects the data subject’s fundamental rights additionally, the operator of the search engine as the controller in respect of that processing must ensure, within the framework of its responsibilities, powers and capabilities, that that processing meets the requirements of Directive 95/46, in order that the guarantees laid down by the directive may have full effect”.[4]
The Court explained that both terms “processing” and “controller” must be interpreted broadly as to not "largely deprive the Directive of its effect” and "to ensure effective and complete protection of data subjects”.[5]
In CJEU - C-230/14 - Weltimmo, the Court stated with regard to Directive 95/46/EC that "'in the context of the activities of an establishment’ cannot be interpreted restrictively".[6]
In CJEU - C-210/16 - Wirtschaftsakademie Schleswig-Holstein, the Court stated with regard to Directive 95/46/EC that processing carried out in the context of the activities of the controller’s establishment “cannot be interpreted restrictively” and that processing “does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment”.[7]
At the same time, the EDPB has stated that the requirement "should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law".[8] The EDPB suggests that (i) the relationship between a data controller or processor outside the Union and its local establishment in the Union and (ii) revenue raising in the Union by a local establishment may help in determining whether processing by a non-EU entity occurs in the context of its establishment in the Union.[9]
The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established inside or outside the Union and whether a non-EU controller or processor has an establishment in the Union.[10]
(2) Targeting the Union Market
If the controller or the processor is not established in the Union, the GDPR can be triggered if personal data of data subjects located in the Union is being processed. In light of Recital 14 GDPR and as supported by the EDPB guidelines, targeting criterion is neither limited by residence nor nationality, but covers any natural person located in the Union to the extent that they are subject to processing as described in Article 3(2)(a) and (b).[11]
(a) Offering of Goods or Services
The concept of "goods and services" has been clarified in EU law (such as Directive 2006/123/EC on services in the internal market) and case law, inter alia on the interpretation of Articles 28 to 37 and 56 to 62 TFEU.
“Goods” are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.[12]
“Services” are activities agreed upon by the provider and the recipient in exchange for, typically, remuneration.[13] In addition, the service provider must be independent and pursue its activity on a stable and continuous basis.[14] This definition includes “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”,[15] as also supported by the EDPB.[16]
The processing is covered "irrespective of whether a payment of the data subject is required".
(b) The Monitoring of Data Subjects' Behaviour
Processing related to the monitoring of the behaviour of data subject is not defined in the GDPR. Recital 24 GDPR clarifies that
“[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
(3) The Public International Law Criterion
The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law.
Recital 25 GDPR gives the example of processing taking place in a “Member State’s diplomatic mission or consular post”. The EDPB gives as a further example the case of a German cruise ship traveling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.[17]
Decisions
→ You can find all related decisions in Category:Article 3 GDPR
References
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 8.
- ↑ CJEU, 28 July 2016, Verein für Konsumenteninformation, C‑191/15, margin number 76 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ CJEU, 13 May 2014, Google Spain, C‑131/12, margin number 83 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ CJEU, 13 May 2014, Google Spain, C‑131/12, margin numbers 30 and 34 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 25 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ CJEU, 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, margin numbers 56 and 57 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7.
- ↑ EDPB guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019, p. 8.
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 10.
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 14.
- ↑ E.g. CJEU, 10 December 1968, Commission v Italy, C-7/68 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=87685&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583); CJEU, 5 February 1981, Horvath, C-7/68 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=90857&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583); CJEU, 9 December 2010, Humanplasma, C‑421/09 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=83855&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ E.g. CJEU, 27 September 1988, Humbel and Edel, C-263/86 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=94935&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ E.g. CJEU, 30 November 1995, Gebhard, C-55/94 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=99599&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).
- ↑ Article 1(1)(b) of Directive 2015/1535/EU.
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 16 referring to Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.
- ↑ EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 23.