Chapter 5 Territorial and Material Scope of GDPR Flashcards
What is the territorial scope of the GDPR?
- EU established controllers and processors - Art 3(1)
- Orgs that offer goods/services or monitor individuals in the EU - Art 3(2)
- where member state law applies because of public int’l law - Art 3(3)
What does it mean for a controller/processor to be established in the EU?
effective & real exercise of activity through stable arrangements
Describe the Weltimmo v NAIH case
The CJEU determined that Weltimmo despite being incorporated in Slovakia targeted the Hungarian market and for all intents and purposes was established in the EU. Weltimmo additionally had a rep in Hungary for admin and judicial proceedings, an open bank account and letterbox in Hungary
Describe the Google Spain SL v AEPD case
Established territorial jurisdiction by observing that that google sold and promoted advertising space in Spain.
Describe Opinion WP 179 of Article 29 Working Party
considered the ‘inextricable link’ concept when considering the activities of a controller/processor that establish territorial jurisdiction.
Give examples of EDPB Guideline limitations
- nationality and residence no determinative
When does the GDPR apply to Non-EU established organisations
- offering goods/services for free or a fee in the EU.
- monitoring behaviour that occurs in the EU.
How do you establish that a controller/processor is ‘targeting EU data subjects’
whether it is apparent the org is offering services/goods to data subjects in one or more EU member states
Name a few relevant factors in ascertaining if a processor/controller is targeting EU data subjects
- Naming EU or member states in reference to the goods or services
- The use of an EU language
- Having marketing and advertising campaigns directed at EU audiences
- The ability to place orders in EU languages
- Referencing travel instructions from the European Union
- Paying a search engine to facilitate access by individuals in the European Union
- Having dedicated addresses or phone numbers for individuals in the European Union
- Use of a top-level EU domain (e.g., �.de� or �.eu�)
*In combination and not isolation
What does it mean for a controller/processor to monitor an indivudal within EU?
behaviour monitored must relate to a data subject in the EU and the monitored behaivour must be in the EU.
What is monitoring
According to Recital 24, tracking individuals online to create profiles incl. where this is used to make decisions particularly concening them or for analysis and predicting their preferences.
give example of EDPB exaples of monitoring
- Behavioural advertising and geolocalisation of content (particularly for advertising)
- Online tracking through cookies and device fingerprinting
- An online personalised diet and health analytics service
- Closed-circuit television (CCTV)
- Market surveys and other behavioural studies based on individual profiles
- Monitoring or regular reporting on an individual�s health
What is the impact of Article 3(3) of the GDPR
to provide clarity on the application of the GDPR in consulates, ships, airplanes.
describe the impact of Brexit on the Application of GDPR
- controller or processor with establishments both in UK and EU.
- controller/processor targeting EU data subjects
describe Article 2(2)(a) of the GDPR
processing of personal data in the course of a activity which falls outside the scope of union law.
describe Aricle 2(2)(b) of the GDPR
processing of personal data when carrying out activities that fall within Chapter 2 of Title V of the Treaty on the European Union.
describe Art 2(2)(a) and 2(2)(b)
processing personal data for national security or defence and for common foreign & security policy of the EU.
Does the UK have exceptions for processing of data by UK intelligence services
Yes, in that case Part 4 of the UK DPA.
describe Article 2(2)(c) of the GDPR
this is the household exemption from the application of GDPR. Exempting processing of personal data by a natural person for personal or household activity.
describe Art 2(2)(d)
exemption of application of GDPR on processing of personal data for the prevention, detection and prosecution of crime.
what is the prupose of the LED
the law enforcement directive is intended to fill the exemption under Art 2(2)(d)
describe the Schrems II case
confirmed that application of LED is only triggered on transfer to law enforcement authorities. As such the transfer from Facebook Ireland and Facebook Inc to ultimately share to law enforcement authorities. The initial transfer was covered by GDPR.
describe exemptions from the application of GDPR
- activities outside the scope of EU Law (nat’l security activities)
- Household exemption
- Law enforcement who are covered by LED
- EU Institutions
describe the relationship between the ePrivacy Directive and GDPR
work in concert as they ePrivacy directive particularises rules in specific areas, and the GDPR cannot add additional obligations.
describe the relationship between the eCommerce Directive and GDPR
the eCommerce directive deals with liability of ISPd for the actions of users, but matters such obligation to erase/rectify data or obligations of ISP use of personal data fall under the GPDR.