Data Privacy and Cybresecurity

Chapter 4: Territorial application – Unlocking the EU General Data Protection Regulation

Article
|
10 min read

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

The GDPR does not necessarily apply to every organisation in the world. It applies to all organisations that are established in the EU. However, for organisations established outside the EU, the GDPR may or may not apply, depending on the circumstances. Establishing whether the GDPR applies to an organisation is essential to ensuring that organisation's ability to satisfy its compliance obligations.

What types of organisations are most affected?

The GDPR adopts a broad approach to territoriality, affecting organisations of all types. There are significant changes that impact organisations established outside the EU but are conducting business in the EU. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EU.

What should organisations do to comply?

The steps that an organisation should take to comply with the GDPR depend on whether the organisation is established in the EU:

  • An organisation established in the EU is subject to the GDPR, which replaced the Directive (and overrides national laws that implemented the Directive, to the extent that these have not been reconciled).
  • An organisation based outside the EU is subject to the GDPR if it either: (a) offers goods or services to EU data subjects; or (b) monitors the behaviour of EU data subjects.

Any organisation that is subject to the GDPR should review its obligations under the GDPR and take a risk-based approach to satisfying those obligations, as described in Chapter 2.

 

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

   

Issue The Directive The GDPR Impact

Establishment

Organisations are subject to EU data protection law if they have an establishment in thenEU. The word "establishment" is not precisely defined. The key question is whether there is effective and real exercise of activity through stable arrangements (e.g., a branch or subsidiary can be an "establishment", but a travelling salesperson is unlikely to constitute an "establishment").

Rec.19; Art.4(1)(a)

The Directive (as implemented via the national law of a Member State) applied to organisations that:

  • were established in one or more Member State(s); and
  • processed personal data (whether as controller or processor and regardless of whether or not the processing takes place in the EU) in the context of that establishment.

 Rec.22; Art.3(1)

The GDPR applies to organisations that:

  • are established in one or more Member State(s); and
  • process personal data (either as controller or processor, and regardless of whether or not the processing takes place in the EU) in the context of that establishment.

 The GDPR and the Directive both apply to organisations that have an establishment in the EU and process personal data in the context of that establishment.

Application of Public International Law

EU data protection law applies to an organisation if the laws of any Member State apply to that organisation by virtue of public international law.

Art.4(1)(b)

An organisation that is not established in any Member State, but is subject to the laws of a Member State by virtue of public international law was also subject to the Directive.

 Rec.25; Art.3(3)

An organisation that is not established in any Member State, but is subject to the laws of a Member State by virtue of public international law is also subject to the GDPR.

 The GDPR does not amend this principle. In practice, the circumstances in which the laws of a Member State apply by virtue of public international law are rare, and so this issue is unlikely to materially affect many organisations.

Activities in Member States

EU data protection law may apply to an organisation if offering goods or services is the nature of the organisation's activities in a Member State, or in relation to the individuals in that Member State.

Rec.20; Art.4(1)(c)

The Directive (as implemented via the national law of a Member State) applied to organisations established outside the EU if they made use of a "means of processing" (e.g., equipment or a processor) located in a Member State, for the purposes of processing personal data (other than mere transit of those data through the EU).

 Rec.23; Art.3(2)(a)

The GDPR applies to organisations established outside the EU if they (either as controller or processor) process the personal data of individuals in the EU when offering them goods or services (whether or not in return for payment). The question of what constitutes "offering" goods or services to individuals in the EU is determined on a case-by-case basis:

  • Mere website accessibility of a service in the EU is not sufficient to trigger application of the GDPR.
  • Factors such as offering a service in the languages or currencies used in a Member State (if not also used in the third country), or mentioning customers or users in a Member State may trigger application of the GDPR.

 For any organisation that was already using a "means of processing" in the EU to offer goods or services to individuals in the EU, these changes are unlikely to have any practical impact.

 For any organisation that was not subject to the Directive (e.g., because it is established outside the EU and does not use a "means of processing" in the EU) but offers goods or services to individuals in the EU, these changes mean that such an organisation is subject to the full range of compliance obligations under the GDPR, in relation to the relevant processing activities.

Monitoring of individuals in the EU

EU data protection law may apply to an organisation if that organisation monitors the behaviour of individuals in the EU.

N/A

The application of the Directive was not affected by the question of whether an organisation monitored the behaviour of individuals in the EU.

 Rec.24; Art.3(2)(b)

The GDPR applies to organisations established outside the EU if they (whether as controller or processor) monitor the behaviour of individuals in the EU (to the extent that such behaviour takes place in the EU). The question of what constitutes "monitoring" is determined on a case-by-case basis:

  • "monitoring" may include tracking an individual in the EU on the internet; and
  • "monitoring" may also include the use of data processing techniques to profile individuals, their behaviours or their attitudes (e.g., in order to analyse or predict personal preferences).

 For any organisation that was already monitoring the behaviour of individuals in the EU either through an establishment in the EU or a "means of processing" in the EU, these changes are likely to make little practical difference.

 For any organisation that was not subject to the Directive (or applicable national laws of Member States) but monitors the behaviour of individuals in the EU, these changes mean that such an organisation is subject to the full range of compliance obligations under the GDPR, in relation to the relevant processing activities.

   

Commentary: Paradigm shift: Introducing the market principle

The transition from the Directive to the GDPR introduced significantly broader territorial application of EU data protection law. Whereas the Directive required some sort of connection with the EU (e.g., an establishment or "means of processing" in the EU) the GDPR can apply to an organisation that has neither of these things. Instead, the GDPR focuses on the question of whether an organisation markets its products in the EU.

For organisations that were subject to the Directive, this is not necessarily a significant change. However, for organisations that were not subject to the Directive, but that either offer goods or services to individuals in the EU or monitor their behaviour, these changes are likely to lead to significant new compliance burdens and associated additional costs under the GDPR.

Example: Having an EU establishment

Q. Organisation A is headquartered in Saudi Arabia, and has global operations in the energy sector. It is planning the rollout of a unified global HR database. Organisation A has a branch office in Germany with 50 employees. The branch office will have access to the global HR database. Is Organisation A subject to the provisions of the GDPR?

A. Establishment implies the "effective and real exercise of activity through stable arrangements". The legal form of such arrangements makes no difference (i.e., it does not matter whether it takes the form of a branch, a subsidiary or a joint venture). The processing activities of the German branch office, including its use of the global HR database, will be subject to the GDPR.

Organisation A is not subject to the GDPR simply by virtue of having a German office. However, the transfer of EU employee data to Organisation A under certain data transfer mechanisms (e.g., Model Clauses or BCRS—see Chapter 13) will impose compliance obligations on Organisation A in respect of those data.

Example: Doing business in the EU

Q. Organisation B is based in the US. It has no operations in other jurisdictions. It sells goods and services to users over the internet, including to users in the EU. Basic services are provided to users for free, with fees payable for more specialised services. The services are made available to users in their local languages, in local currencies, and they are provided on local top-level domains (e.g., ".de", ".fr" or ".co.uk"). But Organisation B has no operations or subcontractors on the ground in the EU. Is Organisation B subject to the provisions of the GDPR?

A. Organisation B is clearly processing the personal data of individuals in the EU (insofar as it provides services to users in the EU). The services are clearly "offered" to individuals in the EU, because:

  • the services are customised to the local languages of EU residents;
  • they are provided in local EU currencies; and
  • the services are provided on local EU top-level domains.

Therefore, the GDPR applies to the processing of personal data of EU data subjects by Organisation B in the course of providing these services.

 

   

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Legal basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP

 

Top