On 12 November 2019, the EDPB published its finalised Guidelines on Territorial Scope of the GDPR (3/2018). The Guidelines aim to assist companies and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR.
The key changes to the draft Guidelines include clarification that:
- whilst some of a controller or processor’s processing activities may fall within the scope of the GDPR, the rest may not. Accordingly, the focus is on whether a particular processing activity falls within the scope of the GDPR, rather than whether a controller or processor does;
- where there is a connection between the targeting activities by a non-EEA controller caught by the GDPR and the processing activities carried out by a non-EEA processor, that processor will fall within the scope of Article 3(2) of the GDPR;
- where a non-EU controller or processor ‘inadvertently or incidentally‘ targets its goods or services at a person located in the EU, the related processing of personal data will not fall within the scope of the GDPR. For example, in the case of an Australian company offering a mobile news service exclusively to users located in Australia. If an Australian subscriber travels to Germany on holiday and continues using the service, the service would not be deemed to be ‘targeting’ individuals in the EU, and the Australian company would not fall within the scope of the GDPR;
- the GDPR does not establish a substitutive liability of the representative in place of the non-EU established controller or processor that it represents in the EU. The concept of the representative was introduced to enable supervisory authorities to initiate enforcement proceedings against a non-EU established controller or processor through the representative. The possibility of holding a representative directly liable is limited to its direct obligations referred to in Article 30 (record-keeping) and Article 58(1)(a) (respond to information requests from the supervisory authority) of the GDPR;
- the role of a representative in the EU is not compatible with the role of a Data Protection officer (DPO). A representative acts on behalf of the controller or processor that it represents, and therefore under its instructions, whilst a DPO is required to act independently.
The Guidelines indicate that the EDPB will further assess the interplay between the territorial scope of the GDPR and rules on international data transfers, and additional guidance may be issued in this regard, if necessary.
A comprehensive overview of the finalised Guidelines is available here.