Chapter 4: Territorial application – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 4: Territorial application – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

The GDPR does not necessarily apply to every organisation in the world. It applies to all organisations that are established in the EU. However, for organisations established outside the EU, the GDPR may or may not apply, depending on the circumstances. Establishing whether the GDPR applies to an organisation is essential to ensuring that organisation's ability to satisfy its compliance obligations.

What types of organisations are most affected?

The GDPR adopts a broad approach to territoriality, affecting organisations of all types. There will be significant changes that impact organisations established outside the EU but are conducting business in the EU. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EU.

What should organisations do to prepare?

The steps that an organisation should take to prepare for the GDPR depend on whether the organisation is established in the EU:

  • An organisation established in the EU is subject to the GDPR, which replaces the Directive (and overrides national laws that implement the Directive, to the extent that these have not been reconciled).
  • An organisation based outside the EU is subject to the GDPR if it either: (a) offers goods or services to EU data subjects; or (b) monitors the behaviour of EU data subjects.

Any organisation that is subject to the GDPR should review its obligations under the GDPR and take a risk-based approach to satisfying those obligations, as described in Chapter 2.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Establishment

Organisations are subject to EU data protection law if they have an establishment in the EU. The word "establishment" is not precisely defined. The key question is whether there is effective and real exercise of activity through stable arrangements (e.g., a branch or subsidiary can be an "establishment", but a travelling salesperson is unlikely to constitute an "establishment").

blank

Rec.19; Art.4(1)(a)

The Directive (as implemented via the national law of a Member State) applies to organisations that:

  • are established in one or more Member State(s); and
  • process personal data (whether as controller or processor and regardless of whether or not the processing takes place in the EU) in the context of that establishment.

does not materially change

Rec.22; Art.3(1)

The GDPR applies to organisations that:

  • are established in one or more Member State(s); and
  • process personal data (either as controller or processor, and regardless of whether or not the processing takes place in the EU) in the context of that establishment.

neutral

The GDPR and the Directive both apply to organisations that have an establishment in the EU and process personal data in the context of that establishment.

blank

Application of Public International Law

EU data protection law applies to an organisation if the laws of any Member State apply to that organisation by virtue of public international law.

blank

Art.4(1)(b)

An organisation that is not established in any Member State, but is subject to the laws of a Member State by virtue of public international law is also subject to the Directive.

does not materially change

Rec.25; Art.3(3)

An organisation that is not established in any Member State, but is subject to the laws of a Member State by virtue of public international law is also subject to the GDPR.

neutral

The GDPR does not amend this principle. In practice, the circumstances in which the laws of a Member State apply by virtue of public international law are rare, and so this issue is unlikely to materially affect many organisations.

blank

Activities in Member States

EU data protection law may apply to an organisation if offering goods or services is the nature of the organisation's activities in a Member State, or in relation to the residents of that Member State.

blank

Rec.20; Art.4(1)(c)

The Directive (as implemented via the national law of a Member State) applies to organisations established outside the EU if they make use of a "means of processing" (e.g., equipment or a processor) located in a Member State, for the purposes of processing personal data (other than mere transit of those data through the EU).

materially changes

Rec.23; Art.3(2)(a)

The GDPR applies to organisations established outside the EU if they (either as controller or processor) process the personal data of EU residents when offering them goods or services (whether or not in return for payment). The question of what constitutes "offering" goods or services to EU residents is determined on a case-by-case basis:

  • Mere website accessibility of a service in the EU is not sufficient to trigger application of the GDPR.
  • Factors such as offering a service in the languages or currencies used in a Member State (if not also used in the third country), or mentioning customers or users in a Member State may trigger application of the GDPR.

neutral

For any organisation that is already using a "means of processing" in the EU to offer goods or services to EU residents, these changes are unlikely to have any practical impact.

 

negative

For any organisation that is not currently subject to the Directive (e.g., because it is established outside the EU and does not use a "means of processing" in the EU) but offers goods or services to EU residents, these changes mean that such an organisation is subject to the full range of compliance obligations under the GDPR, in relation to the relevant processing activities.

blank

Monitoring of EU residents

EU data protection law may apply to an organisation if that organisation monitors the behaviour of EU residents.

blank

N/A

The application of the Directive is not affected by the question of whether an organisation monitors the behaviour of EU residents.

materially changes

Rec.24; Art.3(2)(b)

The GDPR applies to organisations established outside the EU if they (whether as controller or processor) monitor the behaviour of EU residents (to the extent that such behaviour takes place in the EU). The question of what constitutes "monitoring" is determined on a case-by-case basis:

  • "monitoring" may include tracking an EU resident on the internet; and
  • "monitoring" may also include the use of data processing techniques to profile individuals, their behaviours or their attitudes (e.g., in order to analyse or predict personal preferences).

neutral

For any organisation that is already monitoring the behaviour of EU residents either through an establishment in the EU or a "means of processing" in the EU, these changes are likely to make little practical difference.

 

negative

For any organisation that is not currently subject to the Directive (or applicable national laws of Member States) but monitors the behaviour of EU residents, these changes mean that such an organisation is subject to the full range of compliance obligations under the GDPR, in relation to the relevant processing activities.

 

Further analysis

Commentary: Paradigm shift: Introducing the market principle

The transition from the Directive to the GDPR introduces significantly broader territorial application of EU data protection law. Whereas the Directive requires some sort of connection with the EU (e.g., an establishment or "means of processing" in the EU) the GDPR can apply to an organisation that has neither of these things. Instead, the GDPR focuses on the question of whether an organisation markets its products in the EU.

For organisations that are already subject to the Directive, this is not necessarily a significant change. However, for organisations that are not currently subject to the Directive, but that either offer goods or services to EU residents or monitor their behaviour, these changes are likely to lead to significant new compliance burdens and associated additional costs under the GDPR.

Example: Having an EU establishment

Q. Organisation A is headquartered in Saudi Arabia, and has global operations in the energy sector. It is planning the rollout of a unified global HR database. Organisation A has a branch office in Germany with 50 employees. The branch office will have access to the global HR database. Is Organisation A subject to the provisions of the GDPR?

A. Establishment implies the "effective and real exercise of activity through stable arrangements". The legal form of such arrangements makes no difference (i.e., it does not matter whether it takes the form of a branch, a subsidiary or a joint venture). The processing activities of the German branch office, including its use of the global HR database, will be subject to the GDPR.

Organisation A is not subject to the GDPR simply by virtue of having a German office. However, the transfer of EU employee data to Organisation A under certain data transfer mechanisms (e.g., Model Clauses or BCRS—see Chapter 13) will impose compliance obligations on Organisation A in respect of those data.

Example: Doing business in the EU

Q. Organisation B is based in the US. It has no operations in other jurisdictions. It sells goods and services to users over the internet, including to users in the EU. Basic services are provided to users for free, with fees payable for more specialised services. The services are made available to users in their local languages, in local currencies, and they are provided on local top-level domains (e.g., ".de", ".fr" or ".co.uk"). But Organisation B has no operations or subcontractors on the ground in the EU. Is Organisation B subject to the provisions of the GDPR?

A. Organisation B is clearly processing the personal data of EU residents (insofar as it provides services to users in the EU). The services are clearly "offered" to EU residents, because:

  • the services are customised to the local languages of EU residents;
  • they are provided in local EU currencies; and
  • the services are provided on local EU top-level domains.

Therefore, the GDPR applies to the processing of personal data of EU data subjects by Organisation B in the course of providing these services.

 

NEXT CHAPTER
Chapter 5: Key definitions

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP