Article 3 GDPR: Difference between revisions

From GDPRhub
(9 intermediate revisions by 4 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<center>'''Article 3 - Territorial scope'''</center><span id="1">1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.</span>
<br /><center>'''Article 3 - Territorial scope'''</center>
 
<span id="1">1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.</span>


<span id="2">2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:</span>
<span id="2">2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:</span>
Line 194: Line 196:


<span id="3">3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.</span>
<span id="3">3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.</span>
<br />


==Relevant Recitals==
==Relevant Recitals==
{{Recital/14 GDPR}}{{Recital/22 GDPR}}{{Recital/23 GDPR}}{{Recital/24 GDPR}}{{Recital/25 GDPR}}{{Recital/80 GDPR}}{{Recital/122 GDPR}}
{{Recital/14 GDPR}}{{Recital/22 GDPR}}{{Recital/23 GDPR}}{{Recital/24 GDPR}}{{Recital/25 GDPR}}{{Recital/80 GDPR}}{{Recital/122 GDPR}}


==Commentary on Article 3==
==Commentary==
The first two paragraphs of Article 3 GDPR define the territorial scope of the Regulation on the basis of two main criteria: the “''establishment''” of a controller or a processor in the Union and the “''targeting''” of data subjects located in the EU. Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data. The third paragraph confirms the application of the GDPR to processing activities to which “''Member State law applies by virtue of public international law''”.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


===(1) Controller or Processor Established in the Union ===
=== (1) Controller or Processor Established in the Union ===
Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the “establishment” criterion, as per Article 3(1), and the “targeting” criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to relevant processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where Member State law applies by virtue of public international law.<ref>European Data Protection Board (EDPB) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1, adopted on 12 November 2019. As last modified and adopted on 7 January 2020, p. 4 (accessed 21.9.21)</ref>
The GDPR does not provide a definition of “''establishment''” for the purpose of Article 3.  


==== Establishment in the Union ====
==== Establishment in the Union ====
Recital 22 states that the “[e]''stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect''”.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


While the notion of “''main establishment''is defined in Article 4(16), the GDPR does not provide a definition of “''establishment''” for the purpose of Article 3. Recital 22 states that the “''[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect''.
According to the European Data Protection Board, "[t]''his wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term “establishment”, departing from a formalistic approach whereby undertakings are established solely in the place where they are registered''".<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> In particular, in ''Weltimmo'' the CJEU extended the definition of establishment “''to any real and effective activity — even a minimal one — exercised through stable arrangements''”.<ref>CJEU, Case C-230/14, ,''Weltimmo'', 1 October 2015, margin number 31 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref>


According to the EDPB, "''This wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term “establishment”, departing from a formalistic approach whereby undertakings are established solely in the place where they are registered''".<ref>European Data Protection Board (EDPB) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1, adopted on 12 November 2019. As last modified and adopted on 7 January 2020, p. 6 (accessed 21.9.21)</ref> In particular, CJEU - C-230/14 - Weltimmo extended the definition of establishment “''to any real and effective activity — even a minimal one — exercised through stable arrangements''”.<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 31 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).</ref>
Particularly interesting in this respect is the ‘Example 1’ given in the aforementioned EDPB guidelines. This example refers to a US car manufacturer with a subsidiary in Belgium which is involved in the supervision of its European activities, including marketing and advertising. In the view of the EDPB, the Belgian subsidiary operates through a "''stable arrangement''" since it carries out activities which are genuine and instrumental to the main economic activity of the US headquarters. As such, it can be seen as an "''establishment''" under the GDPR.  


Particularly interesting in this respect is Example 1 in the above-mentioned EDPB guidelines. This example refers to a US car manufacturer which has a subsidiary in Belgium which is involved in the supervision of its European activities, including marketing and advertising. In the view of the EDPB, the Belgian subsidiary can be considered a "''stable arrangement''" since it carries out activities which are genuine and instrumental to the main economic activity of producing motor vehicles. Consequently, it can be considered as an "''establishment''" of the US company in Europe.
The EDPB pointed out that the threshold for “''stable arrangement''” is quite low, especially in the context of online activities. Indeed, it could be met by the simple presence of a single employee or agent of a non-EU entity in the Union - if that employee or agent acts with a sufficient degree of stability. However, this concept is not "''without limit''" and cannot lead to the conclusion that a “''non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union''”.<ref>CJEU, Case C-191/15, ''Verein für Konsumenteninformation'', 28 July 2016, margin number 76 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref>


The European Data Protection Board pointed out that the threshold for “''stable arrangement''” is quite low, especially in the context of online activities, and could be met with the simple presence of one single employee or agent of a non-EU entity in the Union (if that employee or agent acts with a sufficient degree of stability).<ref>Viceversa, "''when  an  employee  is  based  in  the  EU  but  the processing  is  not  being  carried  out  in  the  context  of  the  activities  of  the  EU-based  employee  in  the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR''". See, European Data Protection Board (EDPB) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1, adopted on 12 November 2019. As last modified and adopted on 7 January 2020, p. 6 (accessed 21.9.21)</ref>However, it is nor "''without limit''" and cannot lead to the conclusion that a “''non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union''”.<ref>CJEU, 28 July 2016, Verein für Konsumenteninformation, C‑191/15, margin number 76 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583). </ref>
In conclusion, if a controller or processor established outside the Union exercises “''a real and effective activity - even a minimal one''” - through “''stable arrangements'', regardless of its legal form (e.g. subsidiary, branch, office), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State.  


If a controller or processor established outside the Union exercises “''a real and effective activity - even a minimal one''” - through “''stable arrangements''”, regardless of its legal form (e.g. subsidiary, branch, office...), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State. It is therefore important to consider whether the processing of personal data takes place “''in the context of the activities of''” such an establishment as highlighted in Recital 22.
==== Processing of personal data carried out “''in the context of the activities''” of an establishment in the Union ====
==== Processing of personal data carried out “''in the context of the activities of''” an establishment in the Union ====
Article 3(1) confirms that it is not necessary that the processing in question is carried out “by” the relevant EU establishment itself; the controller or processor will be subject to obligations under the GDPR whenever the processing is carried out “''in the context of the activities''” of its relevant establishment in the Union. What this concept means exactly is to be understood in light of the relevant case law.


In CJEU - C-131/12 - Google Spain the Court determined with regard to Directive 95/46/EC that the activity of a search engine is to be classified as “processing of personal data”. It found that “''inasmuch as the data processing carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites and affects the data subject’s fundamental rights additionally, the operator of the search engine as the controller in respect of that processing must ensure, within the framework of its responsibilities, powers and capabilities, that that processing meets the requirements of Directive 95/46, in order that the guarantees laid down by the directive may have full effect''”.<ref>CJEU, 13 May 2014, Google Spain, C‑131/12, margin number 83 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]). The Court adopted the same approach for the terms “processing” and “controller” which should be interpreted broadly as to not "''largely deprive the Directive of its effect''” and "''to ensure effective and complete protection of data subjects''.</ref>  
The courts have generally taken a broad interpretation on the matter. In particular, in Wirtschaftsakademie, the CJEU stated (with regard to Directive 95/46/EC) that processing carried out in the context of the activities of the controller’s establishment “''cannot be interpreted restrictively''” and that processing “''does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment''”.<ref>CJEU, Case C-210/16, ''Wirtschaftsakademie Schleswig-Holstein GmbH'', 5 June 2018, margin numbers 56-57 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583) here]).</ref> The Weltimmo case confirmed that the concept “''cannot be interpreted restrictively''”.<ref>CJEU, Case C-230/14, ,''Weltimmo'', 1 October 2015, margin number 31 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref>


In CJEU - C-230/14 - Weltimmo, the Court stated with regard to Directive 95/46/EC that "''<nowiki/>'in the context of the activities of an establishment’ cannot be interpreted restrictively''".<ref>CJEU, 1 October 2015, Weltimmo, C-230/14, margin number 25 (available here <nowiki>https://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583</nowiki>).</ref> In CJEU - C-210/16 - Wirtschaftsakademie Schleswig-Holstein, the Court stated with regard to Directive 95/46/EC that processing carried out in the context of the activities of the controller’s establishment “''cannot be interpreted restrictively''” and that processing “''does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment''”.<ref>CJEU, 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, margin numbers 56 and 57 (available here <nowiki>https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583</nowiki>).</ref>
The EDPB suggests that two factors may help in determining whether processing occurs in the context of an establishment in the Union. The first one is the relationship between the non-EU entity and its local establishment in the Union. If a case-by-case analysis on the facts shows that there is an “''inextricable link''” between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data. The second factor concerns whether or not the local establishment in the EU contributes to the revenues of the non-EU entity. This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


At the same time, the EDPB has stated that the requirement "''should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law''".<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 7.</ref> The EDPB suggests that (i) the relationship between a data controller or processor outside the Union and its local establishment in the Union and (ii) revenue raising in the Union by a local establishment may help in determining whether processing by a non-EU entity occurs in the context of its establishment in the Union.<ref>EDPB guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019, p. 8.</ref>
On several occasions, for instance, the French CNIL found such a requirement in the activities of Google France, the French subsidiary of Google US. The CNIL has noted the auxiliary function of Google France which manages its website “''pour mission d’accompagner les petites et moyennes entreprises en France à travers le développement d’outils de collaboration, de solutions publicitaires ou pour leur donner les clés de compréhension de leurs marchés et de leurs consommateurs”''. The website was deemed to be not a simple showcase, as “''Google France dispose d’une équipe de vente dédiée à la promotion et à la vente des services de GIL à l’égard des annonceurs et des éditeurs basés en France, comme Google Ads''.<ref>CNIL, SAN-2020-012, § 44 (available [https://www.cnil.fr/sites/default/files/atoms/files/deliberation_of_restricted_committee_san-2020-012_of_7_december_2020_concerning_google_llc_and_google_ireland_limited.pdf here]).</ref> Finally, the CNIL has also found a connection when the French subsidiary provides its (advertising) services “''grâce aux données collectées par le biais des cookies déposés sur les terminaux des internautes''”.<ref>CNIL, SAN-2020-013, § 51 (available [https://www.cnil.fr/sites/default/files/atoms/files/deliberation_of_restricted_committee_san-2020-013_of_7_december_2020_concerning_amazon_europe_core.pdf here]).</ref>


==== Regardless of whether the processing takes place in the Union or not ====
At the same time, the EDPB has stated that this requirement should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. For example, "''when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR''".<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019 (Version 2.1), p. 6-7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>
The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established inside or outside the Union and whether a non-EU controller or processor has an establishment in the Union.<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 10.</ref>


===(2) Targeting the Union Market===
==== The GDPR applies regardless of whether the processing takes place in the Union or not ====
If the controller or the processor is not established in the Union, the GDPR can be triggered if personal data of data subjects located in the Union is being processed. In light of Recital 14 GDPR and as supported by the EDPB guidelines, targeting criterion is neither limited by residence nor nationality, but covers any natural person located in the Union to the extent that they are subject to processing as described in Article 3(2)(a) and (b).<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 14.</ref>
The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established in- or outside the Union and whether a non-EU controller or processor has an establishment in the Union.
====(a) Offering of Goods or Services====
The concept of "''goods and services''" has been clarified in EU law (such as [https://eur-lex.europa.eu/eli/dir/2006/123/oj Directive 2006/123/EC on services in the internal market]) and case law, ''inter alia'' on the interpretation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT Articles 28 to 37 and 56 to 62 TFEU].  


“''Goods''” are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.<ref> E.g. CJEU, 10 December 1968, Commission v Italy, C-7/68 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=87685&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583); CJEU, 5 February 1981, Horvath, C-7/68 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=90857&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583); CJEU, 9 December 2010, Humanplasma, C‑421/09 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=83855&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583).</ref>
If both the controller and/or the processor have an establishment in the European Union and are therefore both subject to the GDPR under Article 3(1), the conclusion is fairly simple: they will both have to adhere to their respective obligations.  However, the situation becomes slightly more complicated if one of the two parties is not subject to the territorial scope of the GDPR (as described above). In this event, there are essentially two cases: (i) a controller subject to the GDPR assigns a part of the processing to a processor not subject to the GDPR and, conversely, (ii) a controller not subject to the GDPR assigns a part of the processing to a processor subject to the GDPR.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 10-12 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


“''Services''” are activities agreed upon by the provider and the recipient in exchange for, typically, remuneration.<ref> E.g. CJEU, 27 September 1988, Humbel and Edel, C-263/86 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=94935&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).</ref> In addition, the service provider must be independent and pursue its activity on a stable and continuous basis.<ref> E.g. CJEU, 30 November 1995, Gebhard, C-55/94 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=99599&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583).</ref> This definition includes “''any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services'',<ref>[https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32015L1535U Article 1(1)(b) of Directive 2015/1535/EU].</ref> as also supported by the EDPB.<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 16 referring to [https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32015L1535U Directive (EU) 2015/1535] of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.</ref>  
In the first case, (i), the controller subject to the GDPR must ensure that the conditions set out in Article 28 GDPR are met. In particular, the processor has to ensure that its actions comply with the requirements of the GDPR. In addition, the controller must only proceed with the assignment after having the processor accept a contract that allows him to monitor the performance of the processor, as stipulated in Article 28(3) GDPR. In other words, [t]''he processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements under Article 28. Moreover, provisions of Chapter V of the GDPR may apply''". In the second case, (ii), the controller will not become subject to the GDPR simply because it chooses to use a processor who is. According to the EDPB, the activities of the processor are not “inextricably linked” with those of the controller. Consequently, the use of a processor territorially subject to the GDPR does not lead to the application of the GDPR to the controller.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019 (Version 2.1), p. 12 (available [https://gdprhub.eu/EDPB,%20%E2%80%98Guidelines%203/2018%20on%20the%20territorial%20scope%20of%20the%20GDPR%20(Article%203)%E2%80%99,%2012%20November%202019%20(Version%202.1),%20p.%2010%20(available%20here). here]).</ref>


The processing is covered "''irrespective of whether a payment of the data subject is required''".  
=== (2) Targeting the Union Market ===
If the controller or the processor is not established in the EU, the GDPR can nonetheless be triggered if personal data of individuals located in the Union are being processed. In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers any natural person located in the Union to the extent that they are subject to processing as described in Article 3(2)(a) and (b) GDPR. In other words, the protection is neither limited by residence nor nationality. The requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored (letters (a) and (b) below). The processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 14-15 (available here). This is also confirmed by Recital 23 GDPR, which states that “''in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union''.”</ref>


====(b) The Monitoring of Data Subjects' Behaviour====
==== (a) Offering of Goods or Services ====
Processing related to the monitoring of the behaviour of data subject is not defined in the GDPR. Recital 24 GDPR clarifies that <blockquote>“''[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.''”</blockquote>
The concept of "''goods and services''" has been clarified in EU law (e.g. [https://eur-lex.europa.eu/eli/dir/2006/123/oj Directive 2006/123/EC on services in the internal market]) and case law, ''inter alia'' on the interpretation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT Articles 28 to 37 and 56 to 62 TFEU]. “''Goods''” are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.<ref>E.g. CJEU, Case C-7/68, ''Commission v Italy'', 10 December 1968 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=87685&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583) here]); CJEU, Case C-50/80, ''Horvath'', 5 February 1981 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=90857&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]); CJEU, Case C-421/09, ''Humanplasma'', 9 December 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=83855&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> “''Services''” are activities developed by the provider and directed to a recipient, typically for remuneration.<ref>CJEU, Case C-263/86, ''Humbel and Edel'', 27 September 1988 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=94935&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> This includes “''any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''”,<ref>Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L1535 here]).</ref> as also supported by the EDPB.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 16 (available here) referring to Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


===(3) The Public International Law Criterion===
Recital 23 GDPR confirms that the mere act of visiting a controller’s or processor’s website is not in itself sufficient to prove intention to offer goods or services. This was also confirmed in the ''Verein für Konsumenteninformation'' decision, where the CJEU held that merely being able to access a website in a Member State is not enough to lead to an "establishment" of the controller or processor in that Member State.<ref>CJEU, Case C-191/15, ''Verein für Konsumenteninformation'', 28 July 2016, margin number 76 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=91583 here]).</ref> Therefore, there must be more engagement between the data subject and the controller or processor for the requirement of offering "goods and services" to be fulfilled. The processing is covered "''irrespective of whether a payment of the data subject is required''".


The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law.
==== (b) The Monitoring of Data Subjects' Behaviour ====
The monitoring of data subjects’ behaviour is not defined in the GDPR. Recital 24 GDPR nevertheless clarifies that “[i]''n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.''” The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, so for instance, tracking through the use of wearables or smart devices.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


Recital 25 GDPR gives the example of processing taking place in a “''Member State’s diplomatic mission or consular post''”. The EDPB gives as a further example the case of a German cruise ship traveling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.<ref>EDPB, Guidelines 03/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 23.</ref>
=== (3) The Public International Law Criterion ===
The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law. Recital 25 GDPR gives the example of processing taking place in a “''Member State’s diplomatic mission or consular post''”. The EDPB gives as a further example the case of a German cruise ship travelling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019 (Version 2.1), p. 19 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


==Decisions==
==Decisions==

Revision as of 09:34, 22 April 2022

Article 3: Territorial scope
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 3 - Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Relevant Recitals

Recital 14: Not Applicable to Legal Persons
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Recital 22: Processing Activities by an Establishment
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Recital 23: Applicable if Targeting EU Data Subjects
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Recital 24: Applicable if Monitoring EU Data Subjects
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Recital 25: Applicable When Member State Law is Applicable
Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.

Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Commentary

The first two paragraphs of Article 3 GDPR define the territorial scope of the Regulation on the basis of two main criteria: the “establishment” of a controller or a processor in the Union and the “targeting” of data subjects located in the EU. Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data. The third paragraph confirms the application of the GDPR to processing activities to which “Member State law applies by virtue of public international law”.[1]

(1) Controller or Processor Established in the Union

The GDPR does not provide a definition of “establishment” for the purpose of Article 3.

Establishment in the Union

Recital 22 states that the “[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.[2]

According to the European Data Protection Board, "[t]his wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term “establishment”, departing from a formalistic approach whereby undertakings are established solely in the place where they are registered".[3] In particular, in Weltimmo the CJEU extended the definition of establishment “to any real and effective activity — even a minimal one — exercised through stable arrangements”.[4]

Particularly interesting in this respect is the ‘Example 1’ given in the aforementioned EDPB guidelines. This example refers to a US car manufacturer with a subsidiary in Belgium which is involved in the supervision of its European activities, including marketing and advertising. In the view of the EDPB, the Belgian subsidiary operates through a "stable arrangement" since it carries out activities which are genuine and instrumental to the main economic activity of the US headquarters. As such, it can be seen as an "establishment" under the GDPR.

The EDPB pointed out that the threshold for “stable arrangement” is quite low, especially in the context of online activities. Indeed, it could be met by the simple presence of a single employee or agent of a non-EU entity in the Union - if that employee or agent acts with a sufficient degree of stability. However, this concept is not "without limit" and cannot lead to the conclusion that a “non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union”.[5]

In conclusion, if a controller or processor established outside the Union exercises “a real and effective activity - even a minimal one” - through “stable arrangements”, regardless of its legal form (e.g. subsidiary, branch, office), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State.

Processing of personal data carried out “in the context of the activities” of an establishment in the Union

Article 3(1) confirms that it is not necessary that the processing in question is carried out “by” the relevant EU establishment itself; the controller or processor will be subject to obligations under the GDPR whenever the processing is carried out “in the context of the activities” of its relevant establishment in the Union. What this concept means exactly is to be understood in light of the relevant case law.

The courts have generally taken a broad interpretation on the matter. In particular, in Wirtschaftsakademie, the CJEU stated (with regard to Directive 95/46/EC) that processing carried out in the context of the activities of the controller’s establishment “cannot be interpreted restrictively” and that processing “does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment”.[6] The Weltimmo case confirmed that the concept “cannot be interpreted restrictively”.[7]

The EDPB suggests that two factors may help in determining whether processing occurs in the context of an establishment in the Union. The first one is the relationship between the non-EU entity and its local establishment in the Union. If a case-by-case analysis on the facts shows that there is an “inextricable link” between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data. The second factor concerns whether or not the local establishment in the EU contributes to the revenues of the non-EU entity. This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located.[8]

On several occasions, for instance, the French CNIL found such a requirement in the activities of Google France, the French subsidiary of Google US. The CNIL has noted the auxiliary function of Google France which manages its website “pour mission d’accompagner les petites et moyennes entreprises en France à travers le développement d’outils de collaboration, de solutions publicitaires ou pour leur donner les clés de compréhension de leurs marchés et de leurs consommateurs”. The website was deemed to be not a simple showcase, as “Google France dispose d’une équipe de vente dédiée à la promotion et à la vente des services de GIL à l’égard des annonceurs et des éditeurs basés en France, comme Google Ads”.[9] Finally, the CNIL has also found a connection when the French subsidiary provides its (advertising) services “grâce aux données collectées par le biais des cookies déposés sur les terminaux des internautes”.[10]

At the same time, the EDPB has stated that this requirement should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. For example, "when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR".[11]

The GDPR applies regardless of whether the processing takes place in the Union or not

The location of the processing itself is irrelevant to determine the geographical scope of Article 3(1) GDPR. As explained by the EDPB, geographical location is only relevant to answer whether a controller or processor is established in- or outside the Union and whether a non-EU controller or processor has an establishment in the Union.

If both the controller and/or the processor have an establishment in the European Union and are therefore both subject to the GDPR under Article 3(1), the conclusion is fairly simple: they will both have to adhere to their respective obligations. However, the situation becomes slightly more complicated if one of the two parties is not subject to the territorial scope of the GDPR (as described above). In this event, there are essentially two cases: (i) a controller subject to the GDPR assigns a part of the processing to a processor not subject to the GDPR and, conversely, (ii) a controller not subject to the GDPR assigns a part of the processing to a processor subject to the GDPR.[12]

In the first case, (i), the controller subject to the GDPR must ensure that the conditions set out in Article 28 GDPR are met. In particular, the processor has to ensure that its actions comply with the requirements of the GDPR. In addition, the controller must only proceed with the assignment after having the processor accept a contract that allows him to monitor the performance of the processor, as stipulated in Article 28(3) GDPR. In other words, “[t]he processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements under Article 28. Moreover, provisions of Chapter V of the GDPR may apply". In the second case, (ii), the controller will not become subject to the GDPR simply because it chooses to use a processor who is. According to the EDPB, the activities of the processor are not “inextricably linked” with those of the controller. Consequently, the use of a processor territorially subject to the GDPR does not lead to the application of the GDPR to the controller.[13]

(2) Targeting the Union Market

If the controller or the processor is not established in the EU, the GDPR can nonetheless be triggered if personal data of individuals located in the Union are being processed. In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers any natural person located in the Union to the extent that they are subject to processing as described in Article 3(2)(a) and (b) GDPR. In other words, the protection is neither limited by residence nor nationality. The requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored (letters (a) and (b) below). The processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally.[14]

(a) Offering of Goods or Services

The concept of "goods and services" has been clarified in EU law (e.g. Directive 2006/123/EC on services in the internal market) and case law, inter alia on the interpretation of Articles 28 to 37 and 56 to 62 TFEU. “Goods” are products which can be valued in money and which are capable, as such, of forming the subject of commercial and lawful transactions.[15]Services” are activities developed by the provider and directed to a recipient, typically for remuneration.[16] This includes “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”,[17] as also supported by the EDPB.[18]

Recital 23 GDPR confirms that the mere act of visiting a controller’s or processor’s website is not in itself sufficient to prove intention to offer goods or services. This was also confirmed in the Verein für Konsumenteninformation decision, where the CJEU held that merely being able to access a website in a Member State is not enough to lead to an "establishment" of the controller or processor in that Member State.[19] Therefore, there must be more engagement between the data subject and the controller or processor for the requirement of offering "goods and services" to be fulfilled. The processing is covered "irrespective of whether a payment of the data subject is required".

(b) The Monitoring of Data Subjects' Behaviour

The monitoring of data subjects’ behaviour is not defined in the GDPR. Recital 24 GDPR nevertheless clarifies that “[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, so for instance, tracking through the use of wearables or smart devices.[20]

(3) The Public International Law Criterion

The GDPR applies to the processing of personal data by a controller not established in the Union if the Member State’s legislation applies by virtue of public international law. Recital 25 GDPR gives the example of processing taking place in a “Member State’s diplomatic mission or consular post”. The EDPB gives as a further example the case of a German cruise ship travelling in international waters. By virtue of public international law, the GDPR will apply even though the ship is in international waters.[21]

Decisions

→ You can find all related decisions in Category:Article 3 GDPR

References

  1. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available here).
  2. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
  3. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
  4. CJEU, Case C-230/14, ,Weltimmo, 1 October 2015, margin number 31 (available here).
  5. CJEU, Case C-191/15, Verein für Konsumenteninformation, 28 July 2016, margin number 76 (available here).
  6. CJEU, Case C-210/16, Wirtschaftsakademie Schleswig-Holstein GmbH, 5 June 2018, margin numbers 56-57 (available here).
  7. CJEU, Case C-230/14, ,Weltimmo, 1 October 2015, margin number 31 (available here).
  8. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here).
  9. CNIL, SAN-2020-012, § 44 (available here).
  10. CNIL, SAN-2020-013, § 51 (available here).
  11. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6-7 (available here).
  12. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 10-12 (available here).
  13. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 12 (available here).
  14. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), pp. 14-15 (available here). This is also confirmed by Recital 23 GDPR, which states that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
  15. E.g. CJEU, Case C-7/68, Commission v Italy, 10 December 1968 (available here); CJEU, Case C-50/80, Horvath, 5 February 1981 (available here); CJEU, Case C-421/09, Humanplasma, 9 December 2010 (available here).
  16. CJEU, Case C-263/86, Humbel and Edel, 27 September 1988 (available here).
  17. Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available here).
  18. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 16 (available here) referring to Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (available here).
  19. CJEU, Case C-191/15, Verein für Konsumenteninformation, 28 July 2016, margin number 76 (available here).
  20. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available here).
  21. EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 19 (available here).