Territorial scope of GDPR
Since the General Data Protection Regulation (GDPR) entering into force in 2018, there are very few people who have not heard about it and have not asked the question: whether this Regulation applies to Ukrainian companies, and, if so, in what cases?
First of all, we should familiarize ourselves with the relevant article of the GDPR – Article 3. Territorial Scope.
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
According to this article, there is an exhaustive list of grounds when GDPR applies to companies on territorial principle. Let’s examine each case separately, taking into account Guidelines 3/2018 on the territorial scope of the GDPR.
Before we move on to the definition of an establishment, we should note that Article 3(1) of the GDPR provides an establishment criterion specifically in relation to a controller or a processor. In order to determine whether you would be considered a controller or a processor, you need to look at the definitions in Article 4 of the GDPR:
“controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Determining whether a subject is a controller or processor for purposes of EU data protection law is a key element in assessing the application of the GDPR to such processing of personal data. Although the main text of GDPR does not include the definition of “establishment”, Recital 22 states the following:
Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
- In fact, the threshold for “stable arrangements” may be quite low if the controller’s activity is related to the provision of services on the Internet. As a result, in some circumstances, the presence of even a single employee of a non-EU company in the EU may be sufficient ground for stable arrangements, if such an employee acts with a sufficient degree of stability.
- Also, there must be a link between the activities for which the data are processed and the activities of the establishment in the EU. This connection must be “inextricable”.
So, if a certain establishment shows any activity on the territory of the EU and has a certain connection with a controller or processor, then it will be considered that such a controller or processor has an establishment on the territory of the EU.
Such an analysis on the matter of compliance of a particular company with the mentioned criteria must be comprehensive and specific to each case. Therefore, it is possible to effectively and reliably determine the existence of an establishment in the EU and to apply the legal provisions correctly.
Example: A sneaker manufacturing company in Ukraine has a full working branch located in Belgium and independently controls all its operations in Europe, including marketing campaigns. The Belgian branch can be considered as a stable arrangement, carrying out real and effective activities in the light of the nature of economic activity, which is carried out by the sneaker manufacturing company. Thus, the Belgian branch can be considered as an establishment in the European Union in the sense of the GDPR.
Even if you have no establishment in the EU, your company may anyway be subject to GDPR. Article 3(2) of GDPR defines the grounds on which a controller or processor without an establishment in the EU is subject to the Regulation, namely if the data processing processes concern:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The EDPB notes that in determining whether this criterion is met, we must take into account:
- the type of processing activity and whether it falls under the GDPR Article 3(2) list;
- whether such processing applies to data subjects located in the EU
Determining the existence of a data subject
Article 3(2) of GDPR refers to data subjects located in the EU, and therefore the criteria of targeting is not limited to EU citizens. Recital 14 states that “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.“
Furthermore, the EDPB recalls Article 8 of the Charter of Fundamental Rights of the European Union, which stipulates that the right to the protection of personal data is not limited but is for “everyone”.
So, when a Ukrainian company processes data of people located in the EU, regardless of their nationality, such processing will be subject to the Regulation. This factor must be assessed at the time when the relevant “trigger activity” takes place, i.e., at the time of offering goods or services or during monitoring.
However, the EDPB believes that the provision on processing activities related to the offering of services is aimed specifically at activities that are intentionally, rather than incidentally, target individuals in the EU. So, if the processing relates to a service that is only offered to persons outside the EU, but the service is not withdrawn when such persons enter the EU, the relevant processing does not fall under the GDPR, because it does not involve the intentional targeting of persons in the EU.
Example: A Ukrainian company offers services of providing sports news, mainly concerning Ukrainian football. Users can receive daily or weekly updates. The service is offered exclusively to users from Ukraine, and when registering they have to provide the Ukrainian phone number and confirm it. One of the users of this service goes on vacation to Spain and continues to use the service. Although a Ukrainian subscriber will use the service while in the EU, the service is not “targeted” at individuals in the Union, so the processing of personal data by such a Ukrainian company is not covered by the GDPR.
The offering of services in the EU
The criteria for targeting of offering goods or services applies regardless of whether the data subject is required to pay for the goods or services. The key criteria for determining whether a controller or processor offers its services or goods is a demonstration of such intent on the part of the controller or processor. Recital 23 defines that:
- In order to determine whether such a controller or a processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union;
- Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
When taking into account the specific facts of the case, the following factors could therefore inter alia be taken into consideration, possibly in combination with one another:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
- The data controller offers the delivery of goods in EU Member States.
If we take some of the factors listed above separately, they may not show a clear intention of the data controller to offer goods or services to data subjects in the EU, but each of these factors should be considered during the analysis to determine whether services/goods are being offered in the EU.
Example: A website based in Ukraine operated from Ukraine offers services to create unique 3D design models for apartments. The website is available in English, French, Spanish, and German. Payments can be made in euros. The website indicates that the models can only be delivered to France and Germany. In this case, understandably, it would be considered a service in the context of EU law. The fact that the website is available in four EU languages and models can be delivered to six EU member states indicates that the Ukrainian website intends to offer its services to people in the EU.
The monitoring of behaviour
The second activity that triggers the application of Article 3(2) of GDPR is the monitoring of the behaviour of data subjects when it occurs within the EU. Recital 24 states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” EDPB provides examples of activities that could be considered as monitoring:
- Behavioural advertisement
- Geo-localisation activities, in particular for marketing purposes
- Personalised diet and health analytics services online
- CCTV – Market surveys and other behavioural studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
Example: A consulting company set up in Australia provides shopping consultations for a supermarket in Germany based on an analysis of customer movements throughout the store collected via Wi-Fi tracking. Analysis of customer movement in the store using Wi-Fi tracking would be considered behavioural monitoring, because behavioural tracking occurs in the EU.
Designation of a representative
GDPR in Article 27 explicitly requires controllers or processors in cases under Article 3(2) GDPR (controllers or processors located outside the EU and offering their goods or services in the EU, or monitoring in the EU) to appoint a representative in the EU. It follows that controllers or processors subject to the GDPR under Article 3(1) (processing of personal data with an establishment in the EU) are not subject to the requirement to designate a representative. The EDPB also confirms that the appointment of a representative does not create an “establishment” and does not trigger the GDPR. In addition, the instructions state that the position of a representative is not compatible with the role of an external Data Protection Officer (DPO) under the GDPR because
- The DPO may receive no instructions to perform his or her tasks and must be independent, while the representative is subject to mandate and therefore instructions; and
- the combination of both roles can lead to a conflict of interest.
Recital 80 states that “such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.”
In accordance with the requirements of Article 27 of the GDPR, the appointment of a representative shall not apply to:
- processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- a public authority or body.
In any case, companies from Ukraine, which are oriented to the EU market and/or process personal data of data subjects in the context of the GDPR, are required to appoint a representative in the European Union, to conclude a relevant agreement with him and enable him, on behalf of the company, to communicate with subjects of personal data, whose data are processed, as well as, if necessary, to cooperate with the state supervisory authorities of the EU Member States.