International Scope of the GDPR
November, 2018 - Philip Kempermann, LL.M.
The large number of vague terms as well as provisions requiring interpretation in the GDPR create significant application issues for companies. However, it becomes even more of a challenge if companies not established in the EU want to review whether the GDPR is applicable to them. Generally speaking, the European legislator set themselves the goal of creating the most extensive territorial scope of the GDPR possible. By doing so, they are following the guidance of the CJEU which, ever since the Google Spain judgment (judgment of May 13, 2014 - Rs C-131/12), adopted the view that European data protection law must be applied broadly in the interest of the best possible protection of data subjects. The CJEU again confirmed this view in the decisions concerning the Wirtschaftsakademie Schleswig-Holstein (June 5, 2018 - Rs C-210/16) and the Jehovah’s Witnesses (July 10, 2018 - Rs C-25/17).
The GDPR’s territorial scope is set out in Art. 3. Accordingly, the GDPR is applicable on the one hand if personal data is processed in context of the activities of an establishment of a controller or processor in the Union, irrespective of whether processing takes place in the EU. On the other hand, the GDPR is also applicable if a controller, who is not established in the EU, processes the personal data of data subjects located in the EU, and if this is done in order to offer these data subjects goods or services, or if their behavior within the EU is to be monitored.
Application on the basis of an establishment
The term establishment must be understood in a broad sense: establishments can be subsidiaries but also sales offices. Important is that the controller, who is not established in the EU, exercises a certain control over the establishment - a simple sales agency is not always sufficient for application of GDPR - and that the personal data are processed in context of this establishment’s activities, for example when employees from non-EU countries are sent there, or because customer relationships are handled via this establishment. The fact that the scope also covers processors means that the GDPR can even be applicable if both the data subjects as well as the controller are not established in the EU at all, but a subsidiary of the controller acts as processor, and processes the data within the EU in this role. Hence caution must be applied when designing intragroup service relationships.
Application on the basis of offers
Art. 3 (2) GDPR means the regulation applies if companies not established in the EU offer their goods and services into the EU. This is the case for example with service offers from the USA - for example the various social media offers. However, the GDPR does not automatically apply for example if a hotel in South Africa provides a website in English that is also accessible from the EU and allows room reservations. If no further factors exist that indicate the express addressing of this service to EU citizens as well, for example the use of EU-specific languages on the website or the indication of EU bank accounts or telephone numbers, this "random offering" is not sufficient to satisfy the characteristic of an offer for goods and services. Here, the goods and services are actually offered in South Africa only, and it is only by chance that they are found by data subjects in the EU.
Guidance from the European Data Protection Board expected
The European Data Protection Board recently published draft guidelines on the application of the GDPR that contain further examples for the regulation’s applicability: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version for public consultation
Caution: national regulations in addition
In addition to this broad scope of the GDPR, further data protection law can apply via national regulations if controllers are not established within the EU. For example, Section 1 (4) of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) provides for very extensive application of the BDSG, with the result that international companies should also concern themselves intensively with the BDSG if they offer services in Germany. In particular, a situation can very quickly arise in which for example a data protection officer must be appointed.
Need for a European representative
Companies also need to be aware of Art. 27 GDPR under which those controllers who fall into the GDPR’s scope pursuant to Art. 3 (2), must appoint a representative who is established in the EU, and who ultimately acts as contact point for data subjects as well as authorities responsible for the controller in the EU.
All in all, the GDPR has significantly extended the scope of European data protection law, a trend started and still supported by the CJEU. International companies, operating in Europe either via establishments or through the offering of goods and services, must therefore concern themselves extensively with the regulations of the GDPR and, if necessary, also with local data protection laws.