Territorial Scope of GDPR Flashcards
Article 3 of the GDPR defines what?
Territorial scope of GDPR
What factors determine whether processing falls within the territorial scope of the GDPR?
- Controller/processor is ESTABLISHED in the EU
- Processing concerns personal data OF DATA SUBJECTS
- By a controller in a place where member state law applies by virtue of INTERNATIONAL LAW.
True or False: The GDPR applies to EU-established organizations?
True.
True or False: When defining whether a controller/processor is ESTABLISHED in the EU, the definition should be applied narrowly.
False - definition is Broad.
True or False: Whether or not a controller or processor is ESTABLISHED in the EU for scope purposes, turns on whether or not they have a legal entity in the EU?
False. Test is broad view of totality of circumstances.
Name some factors the court may examine when determining whether an organisation is established in the EU for purposes of meeting territorial scope of GDPR?
- Website directed at location in the EU
- Website in EU member state language
- Organisation has a representative in EU member state
- Bank account in EU
- Mail box in EU
*Legal subsidiary alone is not determinative.
Define the notion of “establishment” for determining territorial scope?
Establishment implies the effective and real exercise of activities through stable arrangements (Recital 22)
True or False: An organization will also be within the territorial scope of the GDPR when the processing is carried out “in the context of the activities” of its relevant establishment in the EU?
True.
What is the definition of “in the context of activities” in terms of meeting territorial scope?
Processing personal data of data subjects (1) relating to the offering of goods/services or (2) monitoring behavior in the EU.
When does data processing by non-EU organizsation fall under the GDPR?
When the CONTEXT OF ACTIVITIES of processing
Also consider, does the processing have an inextricable link to the EU?
What is the key point of material scope (why do we care)?
Material scope carves out data processing that FALLS OUTSIDE THE SCOPE of the GDPR.
What are the four key exceptions to the material scope of the GDPR?
- Matters outside of EU law
- Household Exemption
- Protection, Prevention, and Prosecution of Criminal Penalties
- EU Institutions
What is an example of an exception to the material scope of the GDPR for matters outside of EU law.
(a) National security, defense or
(b) Matters covered by Title V of Treaty of the EU, ie common foreign or security policy.
True or False. The household exemption under Article 2(2)(c) of the material scope of GDPR should be interpreted broadly.
False. Very narrow exception
True or False: Competent authorities processing personal data for the purposes of crime prevention, investigation or prosecution are also bound by the GDPR?
False - this calls under exception for material scope for protection, prevention and prosecution of criminal penalties.