Territorial Scope of GDPR Flashcards

1
Q

Article 3 of the GDPR defines what?

A

Territorial scope of GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What factors determine whether processing falls within the territorial scope of the GDPR?

A
  1. Controller/processor is ESTABLISHED in the EU
  2. Processing concerns personal data OF DATA SUBJECTS
  3. By a controller in a place where member state law applies by virtue of INTERNATIONAL LAW.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or False: The GDPR applies to EU-established organizations?

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True or False: When defining whether a controller/processor is ESTABLISHED in the EU, the definition should be applied narrowly.

A

False - definition is Broad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False: Whether or not a controller or processor is ESTABLISHED in the EU for scope purposes, turns on whether or not they have a legal entity in the EU?

A

False. Test is broad view of totality of circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name some factors the court may examine when determining whether an organisation is established in the EU for purposes of meeting territorial scope of GDPR?

A
  1. Website directed at location in the EU
  2. Website in EU member state language
  3. Organisation has a representative in EU member state
  4. Bank account in EU
  5. Mail box in EU

*Legal subsidiary alone is not determinative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define the notion of “establishment” for determining territorial scope?

A

Establishment implies the effective and real exercise of activities through stable arrangements (Recital 22)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False: An organization will also be within the territorial scope of the GDPR when the processing is carried out “in the context of the activities” of its relevant establishment in the EU?

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the definition of “in the context of activities” in terms of meeting territorial scope?

A

Processing personal data of data subjects (1) relating to the offering of goods/services or (2) monitoring behavior in the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When does data processing by non-EU organizsation fall under the GDPR?

A

When the CONTEXT OF ACTIVITIES of processing

Also consider, does the processing have an inextricable link to the EU?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the key point of material scope (why do we care)?

A

Material scope carves out data processing that FALLS OUTSIDE THE SCOPE of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the four key exceptions to the material scope of the GDPR?

A
  1. Matters outside of EU law
  2. Household Exemption
  3. Protection, Prevention, and Prosecution of Criminal Penalties
  4. EU Institutions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an example of an exception to the material scope of the GDPR for matters outside of EU law.

A

(a) National security, defense or

(b) Matters covered by Title V of Treaty of the EU, ie common foreign or security policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or False. The household exemption under Article 2(2)(c) of the material scope of GDPR should be interpreted broadly.

A

False. Very narrow exception

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: Competent authorities processing personal data for the purposes of crime prevention, investigation or prosecution are also bound by the GDPR?

A

False - this calls under exception for material scope for protection, prevention and prosecution of criminal penalties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False: The GDPR may apply to processing of personal data by law enforcement where the processing is for purposes other than those covered by LEDP Directive.

A

True.

17
Q

Are EU institutions covered by the GDPR.

A

No