Material and Territorial Scope
This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and will have to be complied with as of 25 May 2018.
This first part focuses on the material and territorial scope of the GDPR. Skip to the end for a quick overview of the main takeaways and to do's.
The GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system.
Personal data are defined as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
Compared to Directive 95/46, the concept of personal data now expressly covers location data and online identifiers. Examples of the latter include IP addresses, cookies and radio frequency identification (RFID) tags. Reference is also expressly made to genetic factors.
Personal data that have undergone pseudonymization - a new definition in the GDPR - are still considered personal. Pseudonymization is defined as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person".
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
This definition is almost identical to that found in Directive 95/46, with the exception of the word "restriction" which was added in view of the new right to restrict processing (to be discussed at a later date).
The GDPR does not apply to:
- the processing of anonymous data, ie data that cannot be traced back to the individual;
- the processing of data relating to deceased persons;
- the processing of data relating to legal persons. For the avoidance of doubt, we recall that data relating to natural contact persons of a legal persons and to one-man businesses are considered personal data;
- physical files or sets of files which are not structured according to specific criteria.
- the processing of personal data in the course of an activity that falls outside the scope of EU law (e.g. national security);
- the processing of personal data by Member States when carrying out activities in relation to the common foreign and security policy of the European Union;
- the processing of personal data by a natural person in the course of a purely personal or household activity, such as correspondence, the holding of addresses as well as social networking and online activities in the context of personal and household activities; it remains to be seen to what extent social networking and online activities will be able to benefit from the exemption. In Lindqvist (C-101/01), the Court of Justice of the European Union ruled that the uploading of information by an individual onto a self-made Internet page does not fall within the household exemption;
- the processing of personal data by competent authorities for purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- the processing of personal data by European Union institutions, bodies, offices and agencies, in which case Regulation (EC) No 45/2001 applies.
The GDPR obviously applies to controllers and processors established within the European Union (EU).
In addition, the GDPR will apply to controllers and processors established in the European Economic Area (EEA) member states Iceland, Norway and Liechtenstein once it has been incorporated in the EEA Agreement. The EEA Agreement incorporates all EU legislation relevant to the single market (including data protection legislation (Directive 95/46)) and allows those three countries to participate in the single market without being part of the European Union.
Finally, the GDPR may also apply to those established outside the European Union.
EU/EEA-based controllers and processors
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU/EEA, regardless of whether the processing takes place in the EU/EEA.
The determining factor is whether the controller or processor has an establishment in the EU/EEA. The term establishment is not defined in the GDPR. However, the recitals indicate that an establishment implies the effective and real exercise of activity through stable arrangements, as confirmed by the CJEU's Weltimmo decision (C-230/14). The legal form of such arrangements is not decisive.
There is in any case a tendency to interpret the applicable criteria broadly in order to bring as much data processing activity as possible within the scope of the European data protection legislation. This was evidenced by the Google Spain case (C-131/12), in which the CJEU ruled that "processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State." Thus, an EU-based entity that does not carry out data processing but performs an activity which can be considered inextricably linked to data processing will fall under the GDPR.
The GDPR also applies to the processing of personal data pertaining to EU/EEA-based data subjects by a controller or processor not established in the EU/EEA, where the processing activities relate to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU/EEA; or
- the monitoring of the behaviour of data subjects in the EU/EEA as far as their behaviour takes place within the EU/EEA.
A determination of whether goods or services are offered to data subjects in the EU/EEA will be made on a case-by-case basis. In this regard, it is necessary to ascertain whether the controller or processor truly intends to offer goods or services to data subjects in the EU/EEA. In this regard, the accessibility of a website, the provision of contact details or the use of a language commonly employed in the country where the controller or processor is established is not sufficient to demonstrate intent. However, factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU/EEA, may make it apparent that the controller envisages offering goods or services to data subjects in the EU/EEA.
To determine whether a given processing activity may be considered monitoring of a data subject's behaviour, it must be ascertained whether the person is tracked online, including the potential use of data processing techniques which constitute profiling.
Entities that are caught by the GDPR based on the abovementioned criteria must appoint a representative established in the Member State of the data subjects whose personal data are processed in relation to the offering of goods or services or whose behaviour is monitored. More information on this subject will be provided in our next GDPR newsletter.
Furthermore, the GDPR applies to the processing of personal data by a non-EU/EEA controller established in a place where EU/EEA law applies by virtue of public international law.
Takeaways and to do's
Relevant articles and recitals
- Material scope: Recitals 14-20, 26, 27 and 30 and Article 2
- Territorial scope: Recitals 22-25 and Article 3
- Appointment of a representative: Article 27