Chapter 5 Territorial and Material Scope of the GDPR Flashcards
What is the GDPR territorial scope?
GDPR applies:
- to EU-established organisations
- to organisations which offer to sell goods or services or who monitor individuals in the EU - on long-arm, extraterritorial basis
What are EDPB guidelines on territorial scope?
Guidelines 3/2018
What is EDPB clarification of Article 3?
Article 3 aims to determine whether a PROCESSING ACTIVITY falls within the scope of the GDPR. The application of GDPR should be assessed per data processing activity.
Explain Article 3(1) - EU-established controllers and processors
Applies to the processing in the CONTEXT OF THE ACTIVITIES OF AN ESTABLISHMENT OF A C OR P IN THE UNION REGARDLES OF WETHER THE PROCESSING TAKES PLACEE IN THE UNION OR NOT
ESTABLISHMENT - implies the effective and real exercise of activity through stable arrangements
The legal form of the arrangement is not the determining factor (branch or subsidiary with legal personality)
Establishment vs. incorporation=E is a broader term
The nationality of DS is irrelevant
Appointment by a C of a P in the EU does not mean that the controller is subject to GDPR
The appointment of an EU representative (Article 27) doesn’t meant that the C or P is established in the EU
Explain the meaning of “in the context of the activities” of the establishment
if this is the case, the GDPR will apply regardless of whether the processing in question is carried out by the relevant EU establishment itself
inextricable link between the activities of an EU establishment and the processing of data carried by a non-EU controller
WP29: being part of the same corporate group is not itself sufficient to establish there is an inextricable link between entities
The mere presence of an employee in the EU is not sufficient to trigger the application of GDPR; the processing in question must also be carried out in the context of the activities of the EU-based employee
Does Article 3(1) restrict application of the GDPR to the processing of PD of individuals who are in the Union?
No, GDPR applies to natural person, whatever their nationality or place of residence in relation to the processing of their PD
Which provision of GDPR will apply in case of the processing “in the context of the activities of an establishment of a processor in the EU”
Only the provisions which apply to processors
Explain the application of Article 3(2) - non-EU established organisations
DS are in the Union
Processing by a C or P not established in the Union if processing activities are related to:
- offering of goods or services, irrespective of payment
- monitoring of their behaviour if their behaviour takes place within the Union
What does “targeting of EU data subjects” mean?
the activities of the organisation must be intentional rather than incidental. E.g. the mere accessibility of a website from within EU is not sufficient to satisfy Article 3(2) (a).
Relevant factors:
naming EU or member state in reference to the goods or services
use of an EU language
marketing campaigns directed to EU audiences
the ability to place orders in EU languages
Dedicated contacts for the individuals in the EU
use of top-level EU domain
not enough if only one of the factors applies; wider analysis
Monitoring of behaviour
behaviour being monitored occurs within EU
tracking of individuals online to create profiles e.g. for predicting personal preferences, attitudes, behaviours (e.g. online tracking through cookies or device fingerprinting; geolocalisation of the content, CCTV, monitoring or regular reporting on an individual’s health)
Offline monitoring also included!
Article 3(2)(b) does not require for the C or P to have an intention to monitor individuals in the EU
Explain application of Article 3(3) - Public international law
The processing by a C not established in the Union but in place where Member state law applies by virtue of PUBLIC INTERNATIONAL LAW - embassies, consulates, airplanes and ships
Explain material scope of regulation
1)Matters outside the scope of EU law:
- processing operations that concern public security, defence and national security (member states have control over these matters)
- activities in relation to the common foreign or security policy of the EU
UK - UK intelligence services
2) Household exemption
- processing by a natural person in the course of a purely personal or household activity (correspondence, address book, social networking and online activities used for social and domestic purposes)
3) Prevention, detection, and prosecution of criminal penalties - covered by LED directive
4) EU institutions - covered by Regulation 2018/1725