PART 1: Does the GDPR apply to your company, even if it is based outside of the EU?
The “Territorial Scope” of Processing Personal Data.
In the light of Brexit, as well as for any other non-EU companies dealing with personal data, many are still asking questions about the application of the General Data Protection Regulation (GDPR) adopted last year to their activities.
The European Data Protection Board (EDPB) has recently published much awaited guidelines to help answer some of these questions about the scope of the GDPR, and whether businesses might be subject to its rules even if they are not a member of the EU. In this first part of our two-part article, we hope to give you a quick overview of the key points published by the EDPB.
Why is this an issue?
Article 3 of the GDPR sets out the territorial scope of the provisions, which is defined on the basis of two main criteria: establishment (Article 3(1)) and targeting (Article 3(2)).
If one of these two criteria are met, the GDPR and all its provisions will apply. The EDPB’s guidelines help you to consider whether particular processing (as a controller or a processor) falls within the scope of the GDPR, and therefore whether it should be followed.
In this first part of our two-part article, we are going to be focusing on the establishment criteria. In part two, we deal with the issue of “targeting”.
The “Establishment” Criteria
If a controller or processor is established in the EU, the GDPR must be followed - regardless of whether the processing actually takes place in the EU (Article 3(1)).
Remember a controller is the natural/legal person/body who decides on the purposes of processing personal data (Article 4(7)), while a processor is the natural/legal person/body
who processes the personal data on behalf of the controller (Article 4(8)).
Establishment in the EU
Establishment does not mean in the formal sense of simply where a business is registered. Business undertakings occurring in the EU, even if you are based outside of the EU, might render you liable under the GDPR.
If a controller or processor established outside the EU exercises real and effective activities through stable arrangements within a Member State, it is likely that this will constitute an establishment in that Member State.
Any sort of activity, even if it is minimal, may fall under the scope of GDPR.
This will all depend on how stable the arrangement is and how effective the activities are, as well as the nature of the economic activities and the services concerned.
The EDPB explained that the legal format of the business arrangements or set-up - via subsidiaries, branches or offices - is not important.
In the past, the Court of Justice of the European Union (CJEU) has ruled that the activity in the EU can be minimal so long as it is real and effective - which can even include services offered exclusively over the internet! There simply needs to be an exercise of real and effective activities through stable arrangements (i.e., more than temporary or transitional) for your business to be deemed establishing within the EU.
The existence of relationship between a controller and a processor, where one is established in the EU and the other is not, does not automatically mean the GDPR will be applied to both of them. But likewise, if a non-EU entity responsible for data processing does not specifically have a branch or subsidiary in a member state, this does not mean it cannot be taken to have an establishment under the GDPR. The processing carried out by each entity is treated separately.
Processing “in the context of the activities of” an establishment
A controller or processor will be subject to the GDPR if the processing of personal data is carried out in relation to activities that are established within the EU.
The EDPB has advised that this needs to be considered on a case by case basis. While the concept of “in the context of the activities of an establishment” cannot be interpreted restrictively, it should also not be interpreted so broadly as to conclude that any entity outside the EU with remote links to data processing within the EU will automatically be subject to the GDPR.
The EDPB advises non-EU organisations to determine firstly whether personal data is being processed, and then identify any potential links between the activity for which the data is being processed and the activities of any organisations in the EU.
The GDPR can apply to any controller or processor established in the EU regardless of whether the processing takes place within or outside the EU.
For more information on targeting activities, be sure to check out part two of this two-part article.
We appreciate that there are quite a few points to take on board when establishing whether your non-EU business is likely to be caught by the GDPR, and whether your business therefore needs to comply with the GDPR provisions to avoid liability and sanctions.
Whilst the EDPB has set out some key clarification as to the application of the GDPR to non-EU businesses, it is always worth seeking specialist advice on your specific situation. Of course, if you need any assistance or require any further clarification, please get in touch with us here.
January 2019, Charlotte Gerrish, Founding Lawyer, Lily Morrison and Marie Montreux, Legal Consultants @ Gerrish Legal.