Chapter 5 Territorial and Material Scope of GDPR

Question 1

What is the territorial scope of the GDPR?

Answer 1

1. EU established controllers and processors - Art 3(1)
2. Orgs that offer goods/services or monitor individuals in the EU - Art 3(2)
3. where member state law applies because of public int’l law - Art 3(3)

Question 2

What does it mean for a controller/processor to be established in the EU?

Answer 2

effective & real exercise of activity through stable arrangements

Question 3

Describe the Weltimmo v NAIH case

Answer 3

The CJEU determined that Weltimmo despite being incorporated in Slovakia targeted the Hungarian market and for all intents and purposes was established in the EU. Weltimmo additionally had a rep in Hungary for admin and judicial proceedings, an open bank account and letterbox in Hungary

Question 4

Describe the Google Spain SL v AEPD case

Answer 4

Established territorial jurisdiction by observing that that google sold and promoted advertising space in Spain.

Question 5

Describe Opinion WP 179 of Article 29 Working Party

Answer 5

considered the ‘inextricable link’ concept when considering the activities of a controller/processor that establish territorial jurisdiction.

Question 6

Give examples of EDPB Guideline limitations

Answer 6

1. nationality and residence no determinative

Question 7

When does the GDPR apply to Non-EU established organisations

Answer 7

1. offering goods/services for free or a fee in the EU.
2. monitoring behaviour that occurs in the EU.

Question 8

How do you establish that a controller/processor is ‘targeting EU data subjects’

Answer 8

whether it is apparent the org is offering services/goods to data subjects in one or more EU member states

Question 9

Name a few relevant factors in ascertaining if a processor/controller is targeting EU data subjects

Answer 9

1. Naming EU or member states in reference to the goods or services
2. The use of an EU language
3. Having marketing and advertising campaigns directed at EU audiences
4. The ability to place orders in EU languages
5. Referencing travel instructions from the European Union
6. Paying a search engine to facilitate access by individuals in the European Union
7. Having dedicated addresses or phone numbers for individuals in the European Union
8. Use of a top-level EU domain (e.g., �.de� or �.eu�)
   *In combination and not isolation

Question 10

What does it mean for a controller/processor to monitor an indivudal within EU?

Answer 10

behaviour monitored must relate to a data subject in the EU and the monitored behaivour must be in the EU.

Question 11

What is monitoring

Answer 11

According to Recital 24, tracking individuals online to create profiles incl. where this is used to make decisions particularly concening them or for analysis and predicting their preferences.

Question 12

give example of EDPB exaples of monitoring

Answer 12

1. Behavioural advertising and geolocalisation of content (particularly for advertising)
2. Online tracking through cookies and device fingerprinting
3. An online personalised diet and health analytics service
4. Closed-circuit television (CCTV)
5. Market surveys and other behavioural studies based on individual profiles
6. Monitoring or regular reporting on an individual�s health

Question 13

What is the impact of Article 3(3) of the GDPR

Answer 13

to provide clarity on the application of the GDPR in consulates, ships, airplanes.

Question 14

describe the impact of Brexit on the Application of GDPR

Answer 14

1. controller or processor with establishments both in UK and EU.
2. controller/processor targeting EU data subjects

Question 15

describe Article 2(2)(a) of the GDPR

Answer 15

processing of personal data in the course of a activity which falls outside the scope of union law.

Question 16

describe Aricle 2(2)(b) of the GDPR

Answer 16

processing of personal data when carrying out activities that fall within Chapter 2 of Title V of the Treaty on the European Union.

Question 17

describe Art 2(2)(a) and 2(2)(b)

Answer 17

processing personal data for national security or defence and for common foreign & security policy of the EU.

Question 18

Does the UK have exceptions for processing of data by UK intelligence services

Answer 18

Yes, in that case Part 4 of the UK DPA.

Question 19

describe Article 2(2)(c) of the GDPR

Answer 19

this is the household exemption from the application of GDPR. Exempting processing of personal data by a natural person for personal or household activity.

Question 20

describe Art 2(2)(d)

Answer 20

exemption of application of GDPR on processing of personal data for the prevention, detection and prosecution of crime.

Question 21

what is the prupose of the LED

Answer 21

the law enforcement directive is intended to fill the exemption under Art 2(2)(d)

Question 22

describe the Schrems II case

Answer 22

confirmed that application of LED is only triggered on transfer to law enforcement authorities. As such the transfer from Facebook Ireland and Facebook Inc to ultimately share to law enforcement authorities. The initial transfer was covered by GDPR.

Question 23

describe exemptions from the application of GDPR

Answer 23

1. activities outside the scope of EU Law (nat’l security activities)
2. Household exemption
3. Law enforcement who are covered by LED
4. EU Institutions

Question 24

describe the relationship between the ePrivacy Directive and GDPR

Answer 24

work in concert as they ePrivacy directive particularises rules in specific areas, and the GDPR cannot add additional obligations.

Question 25

describe the relationship between the eCommerce Directive and GDPR

Answer 25

the eCommerce directive deals with liability of ISPd for the actions of users, but matters such obligation to erase/rectify data or obligations of ISP use of personal data fall under the GPDR.