GDPR Material and Territorial Scopes
by Tara Taubman-Bassirian LLM
There has been and still remains interrogations and uncertainties around the scope of application of the General Data Protection Regulation.
The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data, as stressed in Article 1(1) GDPR.
Art. 1 GDPR Subject-matter and objectives edicts :
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Related Recitals : 1 to 12
Article 1(2) GDPR provides that the GDPR seeks to protect fundamental rights and freedoms of natural persons and, more specifically, their right to the protection of personal data. It means that, as such, the Regulation does not deal with the rights and freedoms of legal persons, such as companies.
Rec.27, 158, 160; Art.1(1)-(2), 4(1) The law protects the personal data of natural persons, but does not apply to data of deceased persons. However, Member States may provide for rules regarding the processing of data of deceased persons.
Article 8 of the EU Charter of Fundamental Rights – Protection of Personal data :
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
Art. 2 GDPR Material scope :
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
1. in the course of an activity which falls outside the scope of Union law;
2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
3. by a natural person in the course of a purely personal or household activity;
4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Related Recitals : 13 to 21, 27
The Directive applies to the processing of personal data:
• by automatic means (e.g., a computerised system or database); and
• by other (non-automated) means that form part of a relevant filing system.
The protection of individuals should be technologically neutral and should not depend on the techniques used.
Art. 3 GDPR Territorial scope
The European Data Protection Board, the supervisory authority that replaced the Working Party Article 29, has issued guidance on the territorial scope of the GDPR
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Related Recitals : 22 to 25
Recital 24: “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
Article 3(1): “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Article 3(2): “This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b. The monitoring of their behavior as far as their behavior takes place within the Union.”
Google Spain case (C-131/12), in which the CJEU ruled that “processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.” Thus, an EU-based entity that does not carry out data processing but performs an activity which can be considered inextricably linked to data processing will fall under the GDPR.
France v Google, Advocate General
UK ICO : What is Personal data ?
Personal data are defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Does this includes IP addresses? In a groundbreaking decision on October 19th, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses could be considered as personal data. Under GDPR, clearly, the IP address, an ‘identification number’, can be personal data.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Widening the scope of personal data from the Data Protection Directive, the GDPR applies to :
- EU based controllers and processors when personal data is processed “in the context of its activities”.
- In addition, GDPR will apply to controllers and processors established in the European Economic Area (EEA) member states Iceland, Norway and Liechtenstein.
- The GDPR may also apply to those established outside the European Union that target, by offering goods or services to data subjects in the EU/EEA, or that monitor the behaviour of such data subjects. The use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be relevant. (Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases(C-585/08) and (C-144/09))
- Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law.
Would the GDPR apply to non EU controllers established within the EEA but exclusively processing data of non EU/EEA residents? Some data processors process data of non EU citizens while based in the EU/EEA. To me, it s unclear if GDPR applies to them. The main practical issue here is the reach of jurisdiction for non EU citizen.
The long-arm of EU jurisdiction is translated by the requirement for controllers falling into these categories to appoint an EU-based representative. Falling ‘outside the scope of Union law’ ?
The GDPR should not apply to the processing of the personal data of EU/EEA citizens, when collected outside the EU by non EU controllers based outside the EU/EEA. For instance data collected from an EU citizen when traveling abroad outside the EU.
EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
This work is licensed under a Creative Commons Attribution 4.0 International License.