Approximately one year after publication of the public consultation version, the European Data Protection Board (EDPB) has published its finalised Guidelines on the territorial scope of the GDPR (Article 3).
Although the relevant GDPR article may seem simple at a first glance, numerous questions arose in practice. The guidelines provide more clarity in many respects with examples, but unfortunately there are still a number of topics for which further – practical – guidance would be helpful. The EDPB has e.g. stated that it will further assess the interplay between the application of the territorial scope of the GDPR and the provisions on international data transfers. The EDPB furthermore highlights that the development of further international cooperation mechanisms is currently being considered.
The GDPR applies to the processing of personal data (article 3 GDPR):
- in the context of the activities of an establishment of a controller or a processor in the EU, regardless where the processing takes place;
- of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
Among other things, the EDPB confirms that Article 3 GDPR determines whether a particular processing activity falls within the scope of the GDPR. Certain processing activities carried out by a controller or processor may fall within the scope of the GDPR, while other processing of personal data carried out by the same controller or processor might not.
In addition to an analysis of article 3 GDPR, the Guidelines provide guidance with respect to the obligation to designate a representative (within the meaning of article 27 GDPR), which obligation applies to controllers and processors subject to the GDPR as per article 3(2) GDPR.
According to the EDPB, the designation of a representative in the EU does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents. The EDPB notes that the possibility to hold a representative directly liable is limited to the representative’s direct obligations referred to in article 30 and article 58(1)(a) GDPR.