Chapter 5 (Territorial Scope Of GDPR)

Question 1

What does territorial scope mean in the context of the GDPR?

Answer 1

The application of the GDPR to orgs established in the EU and its application on an extraterritorial basis and pursuant to public international law

Question 2

Who does the GDPR apply to?

Answer 2

1. EU established organizations
2. On a long-arm, extraterritorial basis to orgs which offer to sell goods or services to or who monitor individuals in the EU

Question 3

Does the fact that some of an org’s processing activities fall within the scope of the GDPR mean that all of its processing activities are subject to the GDPR?

Answer 3

No, the application of the GDPR should be assessed per data processing activity.

Question 4

What does the term establishment mean in the context of the GDPR?

Answer 4

Implies the effective and real exercise of activity through stable arrangements.

Question 5

What were the facts in Weltimmo v. NAIH?

Answer 5

Weltimmo was incorporated in Slovakia but its website targeted the Hungarian market. The first month of advertising on the website was free, thereafter ads were chargeable. Customers argued that Weltimmo failed to act upon requests to remove ads from website which resulted in charges.

The question was whether Hungarian laws applies to Weltimmo, a Slovakian company.

Question 6

How did the CJEU rule in Weltimmo v. NAIH?

Answer 6

Confirmed that the concept of establishment is broad and flexible that shouldn’t depend on legal form.

Thus, Weltimmo was considered to be established in Hungary notwithstanding it being incorporated in Slovakia.

Question 7

What were the 4 factors the CJEU considered in making its decision in Weltimmo v. NAIH?

Answer 7

1. Weltimmo’s website was mainly or entirely directed at Hungary (especially since written in Hungarian).
2. Weltimmo had a rep in Hungary, who represented the company in judicial proceedings.
3. Weltimmo had opened a bank account in Hungary intended for the recovery of its debts.
4. Weltimmo used a letter box in Hungary for the management of its everyday business affairs.

Question 8

Does the appointment of an EU representative mean that the controller or processor is established in the EU?

Answer 8

No.

Question 9

What were the facts in Google Spain SL v. AEPD and what did the CJEU hold?

Answer 9

Concerned a Spanish citizen’s request that Google remove or conceal certain info that related to him when his name was searched.

Held that there was a sufficient connection b/w Google Spain SL’s activities (promoting and selling ad space in Spain on behalf of Google) and the search engine. That is their activities were inextricably linked.

Question 10

Is being part of the same corporate group sufficient to establish that there is an “inextricable link” between entities for purposes of the GDPR?

Answer 10

No.

Question 11

Will any org that has EU sales offices, which promote or sell advertising or marketing or target individuals in the EU fall under the territorial scope of the GDPR?

Answer 11

Yes.

Question 12

Is the presence of an employee in the EU sufficient to trigger the GDPR?

Answer 12

No, the processing in question must also be carried out in the context of the EU-based employee’s activities.

Question 13

Will a non-EU controller become subject to the GDPR merely because it is using a processor in the EU?

Answer 13

No.

Question 14

Non-EU orgs are subject to the GDPR if 1 of what 2 circumstances applies?

Answer 14

1. They are offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the EU, or
2. They are monitoring EU data subjects’ behaviors that occur within the EU

Question 15

What Article of the GDPR’s applies to EU established controllers and processors?

Answer 15

Article 3(1).

Question 16

What Article of the GDPR determines whether it applies to non-EU established orgs?

Answer 16

Article 3(2).

Question 17

Does the GDPR apply to a company that inadvertently sells to an individual in the EU?

Answer 17

No- sales have to intentionally aimed at individuals in the EU.

Question 18

What are some of the examples the EDPB provides of actions that do not trigger Article 3(2) re non-EU established orgs?

Answer 18

1. The mere accessibility of a website from within the EU
2. Mere contact addresses accessible from the EU
3. Use of same language as used in the controller’s home country

Question 19

What are 8 factors to consider when determining whether a non-EU org is intentionally targeting sales at individuals in the EU?

Answer 19

1. Naming EU member states in reference to the goods or services
2. The use of an EU language
3. Having marketing and advertising campaigns directed at EU audiences
4. The ability to place orders in EU languages
5. Referencing travel instructions from the EU
6. Paying a search engine to facilitate access by individuals in the EU
7. Having dedicated addresses or phone numbers for individuals in the EU
8. Use of top-level EU domain (.de or .eu)

Question 20

How does the GDPR define monitoring for purposes of determining whether a company is subject to the GDPR?

Answer 20

Monitoring includes the tracking of individuals online to create profiles, including where this is used to make decisions particularly concerning them or for analyzing or predicting their personal preferences, behaviors, and attitudes.

Question 21

In order to be subject to Article 3(2)(b), i.e. non-EU company that monitors, does the controller or processor have to have an intention to monitor individuals in the EU?

Answer 21

No.

Question 22

What are 6 examples the EDPB provides for monitoring?

Answer 22

1. Behavioral advertising and geolocation of content
2. Online tracking through cookies and device fingerprinting
3. An online personalized diet and health analytics service
4. Closed circuit TV (CCTV)
5. Market surveys and other behavioral studies based on individual profiles
6. Monitoring or regular reporting on an individual’s health

Question 23

What 6 activities fall outside the GDPR’s scope, and what are their corresponding articles?

Answer 23

1. Matters outside the scope of EU law, Article 2(2)(a) and (b)
2. Household exemption ,
   Article 2(2)(c)
3. Processing personal data related to the prevention, detection, and prosecution of criminal penalties, Article 2(2)(d)
4. EU institutions, bodies, offices, and agencies, Article 2(3)
5. Obligations or activities covered by the ePrivacy Directive
6. Rules in the E-Commerce Directive

Question 24

What does Article 2(2)(a) state and what does it cover?

Answer 24

States the GDPR doesn’t apply to the processing of personal data in the course of an activity that falls outside the scope of Union law.

Covers processing operations that concern public security, defense, and national security.

Question 25

What does Article 2(2)(b) state and what does it cover?

Answer 25

States that the GDPR doesn’t apply to the processing of personal data by a member state when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on the EU.

Includes activities in relation to the common foreign and security policy of the EU.

Question 26

What is the household exemption?

Answer 26

Exempts data processing by a natural person in the course of a purely personal or household activity, e.g. having an address book that isn’t connected to professional or business activities.

Question 27

Recital 18 of the GDPR notes what with regards to the household exemption?

Answer 27

That social networking and online activities used for social and domestic purposes are also covered by the exemption.

Question 28

In what 2 cases did the CJEU interpret the household exemption narrowly?

Answer 28

1. Lindqvist (publishing info about people from her parish church in her personal website)- not covered
2. Rynes (private residence security footage that captured images from a public footpath)- not covered

Question 29

What fills the legislative gap arising from the exemption related to processing personal data for the prevention, detection, and prosecution of criminal penalties?

Answer 29

The law Enforcement Directive (LED)

Question 30

Who does the LED apply to?

Answer 30

Competent authorities, such as the police, prosecution authorities, courts, and offender support services.

Question 31

What happens when competent authorities process personal data for purposes other than the purposes of the LED?

Answer 31

The GDPR applies unless the processing is carried out pursuant to an activity that falls outside the scope of EU law, like national security.

Question 32

Can a competent authority be subject to the GDPR and LED?

Answer 32

Yes, including in respect to the same data where it is processed for different purposes.

Question 33

What happens if a competent authority transfers data to a body not covered by the LED or if a competent authority transfers the data to another competent authority but for purposes that fall outside of the LED?

Answer 33

The GDPR applies.

Question 34

Do the ePrivacy Directive and the GDPR work together?

Answer 34

Yes, because the ePrivacy Directive simply renders more specific rules in some areas, e.g. telecommunications traffic data or storing of info on the end user’s device.

Question 35

How does preemption work between the ePrivacy Directive and GDPR?

Answer 35

The specific provisions of the ePrivacy Directive take precedent over the more general provisions of the GDPR.

Question 36

What is the relationship between the GDPR and E-commerce Directive?

Answer 36

The GDPR is stated to be without prejudice to the rules of the E-Commerce Directive.