Chapter 5 Territorial and Material Scope of GDPR Flashcards

1
Q

What is the territorial scope of the GDPR?

A
  1. EU established controllers and processors - Art 3(1)
  2. Orgs that offer goods/services or monitor individuals in the EU - Art 3(2)
  3. where member state law applies because of public int’l law - Art 3(3)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does it mean for a controller/processor to be established in the EU?

A

effective & real exercise of activity through stable arrangements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the Weltimmo v NAIH case

A

The CJEU determined that Weltimmo despite being incorporated in Slovakia targeted the Hungarian market and for all intents and purposes was established in the EU. Weltimmo additionally had a rep in Hungary for admin and judicial proceedings, an open bank account and letterbox in Hungary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the Google Spain SL v AEPD case

A

Established territorial jurisdiction by observing that that google sold and promoted advertising space in Spain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe Opinion WP 179 of Article 29 Working Party

A

considered the ‘inextricable link’ concept when considering the activities of a controller/processor that establish territorial jurisdiction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give examples of EDPB Guideline limitations

A
  1. nationality and residence no determinative
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When does the GDPR apply to Non-EU established organisations

A
  1. offering goods/services for free or a fee in the EU.
  2. monitoring behaviour that occurs in the EU.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you establish that a controller/processor is ‘targeting EU data subjects’

A

whether it is apparent the org is offering services/goods to data subjects in one or more EU member states

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name a few relevant factors in ascertaining if a processor/controller is targeting EU data subjects

A
  1. Naming EU or member states in reference to the goods or services
  2. The use of an EU language
  3. Having marketing and advertising campaigns directed at EU audiences
  4. The ability to place orders in EU languages
  5. Referencing travel instructions from the European Union
  6. Paying a search engine to facilitate access by individuals in the European Union
  7. Having dedicated addresses or phone numbers for individuals in the European Union
  8. Use of a top-level EU domain (e.g., �.de� or �.eu�)
    *In combination and not isolation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does it mean for a controller/processor to monitor an indivudal within EU?

A

behaviour monitored must relate to a data subject in the EU and the monitored behaivour must be in the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is monitoring

A

According to Recital 24, tracking individuals online to create profiles incl. where this is used to make decisions particularly concening them or for analysis and predicting their preferences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

give example of EDPB exaples of monitoring

A
  1. Behavioural advertising and geolocalisation of content (particularly for advertising)
  2. Online tracking through cookies and device fingerprinting
  3. An online personalised diet and health analytics service
  4. Closed-circuit television (CCTV)
  5. Market surveys and other behavioural studies based on individual profiles
  6. Monitoring or regular reporting on an individual�s health
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the impact of Article 3(3) of the GDPR

A

to provide clarity on the application of the GDPR in consulates, ships, airplanes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

describe the impact of Brexit on the Application of GDPR

A
  1. controller or processor with establishments both in UK and EU.
  2. controller/processor targeting EU data subjects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

describe Article 2(2)(a) of the GDPR

A

processing of personal data in the course of a activity which falls outside the scope of union law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

describe Aricle 2(2)(b) of the GDPR

A

processing of personal data when carrying out activities that fall within Chapter 2 of Title V of the Treaty on the European Union.

17
Q

describe Art 2(2)(a) and 2(2)(b)

A

processing personal data for national security or defence and for common foreign & security policy of the EU.

18
Q

Does the UK have exceptions for processing of data by UK intelligence services

A

Yes, in that case Part 4 of the UK DPA.

19
Q

describe Article 2(2)(c) of the GDPR

A

this is the household exemption from the application of GDPR. Exempting processing of personal data by a natural person for personal or household activity.

20
Q

describe Art 2(2)(d)

A

exemption of application of GDPR on processing of personal data for the prevention, detection and prosecution of crime.

21
Q

what is the prupose of the LED

A

the law enforcement directive is intended to fill the exemption under Art 2(2)(d)

22
Q

describe the Schrems II case

A

confirmed that application of LED is only triggered on transfer to law enforcement authorities. As such the transfer from Facebook Ireland and Facebook Inc to ultimately share to law enforcement authorities. The initial transfer was covered by GDPR.

23
Q

describe exemptions from the application of GDPR

A
  1. activities outside the scope of EU Law (nat’l security activities)
  2. Household exemption
  3. Law enforcement who are covered by LED
  4. EU Institutions
24
Q

describe the relationship between the ePrivacy Directive and GDPR

A

work in concert as they ePrivacy directive particularises rules in specific areas, and the GDPR cannot add additional obligations.

25
Q

describe the relationship between the eCommerce Directive and GDPR

A

the eCommerce directive deals with liability of ISPd for the actions of users, but matters such obligation to erase/rectify data or obligations of ISP use of personal data fall under the GPDR.