Data Protection and Cyber Update
Data Protection and Extraterritoriality
- Data Protection is now in full swing and has extensive extraterritorial effects outside the EU. It is a complex matter which we want to highlight and which we wish to reiterate in this update.
- The GDPR is applicable whether the processing takes place in the EU or outside the EU.
- The place of processing is irrelevant.
GENERAL GUIDING PRINCIPLES
- When processing personal data, the data “Controller” or “Processor” will be subject to GDPR rules, if:
- they are established in the EU;
- there is an offering of goods and services to data subjects in the EU;
- monitoring the behaviour of data subjects in the EU; or
- public international law applies.
- If the GDPR applies to the non-EU “Controllers” and Processors”, they will need to designate an EU representative for the purpose of monitoring their GDPR compliance and liaise with the relevant EU data protection authority.
- We recommend reference to the European Data Protection Board Guidelines 3/2018 on the territorial scope of the GDPR adopted with the aim of ensuring a consistent application of the GDPR when assessing whether a particular data processing by a Controller or a Processor falls within the GDPR.
- Non-EU data Controllers and Processors should constantly consider if they are not falling under the GDPR and, in case they do fall within the Regulation, they have to monitor their compliance therewith.
- Any transactional due diligence process, involving enterprises processing personal data, will require a thorough GDPR review.
Article 3 of the GDPR reflects the intention of the European legislator to ensure a high level of protection in a worldwide data flow.
Two main criterions have to be considered:
- establishment; and
- targeting of data subjects in the EU.
When does the processing of data fall within the territorial scope of the GDPR?
The GDPR applies in the case of processing personal data by:
- Establishment of the Controller or Processor in the EU.
“An establishment implies the effective and real exercise of activities through stable arrangements” (Recital 22 GDPR)
Note, for example, one employee in the EU could constitute an “Establishment”, however, for example, the sole element of accessibility to a website from the EU may not constitute an Establishment.
- Activities analysis
Data Controllers or Processors outside the EU, having an inextricable link with a local EU establishment, will be subject to the GDPR whether or not the establishment takes any role in the processing of itself.
Note that revenue raising in the EU may be indicative of processing by a non-EU enterprise.
A case-by-case analysis needs to be undertaken i.e. a complex analysis.
It is important to recall that the place of processing is irrelevant for determining if the GDPR applies or not.
The absence of an Establishment in the Union does not mean that the GDPR would not apply.
The GDPR applies to the processing of personal data of data subjects who are in the EU by a non-EU establishment in the case of:
- Offering of goods or services
Whether with or without payment being involved.
A critical element is to ascertain the intent to establish commercial relations with consumers.
Indicative elements of intention:
- designated market EU Member States to the good or services;
- international nature of the activity;
- mentioning of a dedicated address or phone number to be reached from within the EU;
- the use of language or currency; or
- the delivery of goods in EU Member States.
- Monitoring of behaviour within the EU
Monitoring behaviour of EU residents triggers the GDPR application, it is not limited by citizenship;
However, EU residents outside the EU are not covered by the GDPR protection.
Public International Law criterion
The GDPR applies to the processing of personal data established in a place where Member State law applies by virtue of public international law.
Appointment of a representative within the EU
Following the above analysis, if a non-EU Contoller or Processor falls under the GDPR it is required to appoint an EU representative. Such appointment:
- must be expressly made and in writing;
- designated within one of the Member States where the data subjects are present; and
- does not necessarily need to be a commercial entity.
Note that, the EU representative function is a distinct function from the DPO and the two functions need to be independent of each other.
The appointment of such a representative does not affect or reduce the liability of the Controller or the Processor of data.
The representative’s obligation is to fulfil its duties in accordance with the agreed mandate given to it.