Territorial Scope of GDPR

Question 1

Article 3 of the GDPR defines what?

Answer 1

Territorial scope of GDPR

Question 2

What factors determine whether processing falls within the territorial scope of the GDPR?

Answer 2

1. Controller/processor is ESTABLISHED in the EU
2. Processing concerns personal data OF DATA SUBJECTS
3. By a controller in a place where member state law applies by virtue of INTERNATIONAL LAW.

Question 3

True or False: The GDPR applies to EU-established organizations?

Answer 3

True.

Question 4

True or False: When defining whether a controller/processor is ESTABLISHED in the EU, the definition should be applied narrowly.

Answer 4

False - definition is Broad.

Question 5

True or False: Whether or not a controller or processor is ESTABLISHED in the EU for scope purposes, turns on whether or not they have a legal entity in the EU?

Answer 5

False. Test is broad view of totality of circumstances.

Question 6

Name some factors the court may examine when determining whether an organisation is established in the EU for purposes of meeting territorial scope of GDPR?

Answer 6

1. Website directed at location in the EU
2. Website in EU member state language
3. Organisation has a representative in EU member state
4. Bank account in EU
5. Mail box in EU

*Legal subsidiary alone is not determinative.

Question 7

Define the notion of “establishment” for determining territorial scope?

Answer 7

Establishment implies the effective and real exercise of activities through stable arrangements (Recital 22)

Question 8

True or False: An organization will also be within the territorial scope of the GDPR when the processing is carried out “in the context of the activities” of its relevant establishment in the EU?

Answer 8

True.

Question 9

What is the definition of “in the context of activities” in terms of meeting territorial scope?

Answer 9

Processing personal data of data subjects (1) relating to the offering of goods/services or (2) monitoring behavior in the EU.

Question 10

When does data processing by non-EU organizsation fall under the GDPR?

Answer 10

When the CONTEXT OF ACTIVITIES of processing

Also consider, does the processing have an inextricable link to the EU?

Question 11

What is the key point of material scope (why do we care)?

Answer 11

Material scope carves out data processing that FALLS OUTSIDE THE SCOPE of the GDPR.

Question 12

What are the four key exceptions to the material scope of the GDPR?

Answer 12

1. Matters outside of EU law
2. Household Exemption
3. Protection, Prevention, and Prosecution of Criminal Penalties
4. EU Institutions

Question 13

What is an example of an exception to the material scope of the GDPR for matters outside of EU law.

Answer 13

(a) National security, defense or

(b) Matters covered by Title V of Treaty of the EU, ie common foreign or security policy.

Question 14

True or False. The household exemption under Article 2(2)(c) of the material scope of GDPR should be interpreted broadly.

Answer 14

False. Very narrow exception

Question 15

True or False: Competent authorities processing personal data for the purposes of crime prevention, investigation or prosecution are also bound by the GDPR?

Answer 15

False - this calls under exception for material scope for protection, prevention and prosecution of criminal penalties.

Question 16

True or False: The GDPR may apply to processing of personal data by law enforcement where the processing is for purposes other than those covered by LEDP Directive.

Answer 16

True.

Question 17

Are EU institutions covered by the GDPR.

Answer 17

No