The European Data Protection Board (EDPB) precised the territorial scope of the GDPR (Regulation 2016/679/EU)
The EDPB is composed of the representatives of the national data protection autorities and is charged to ensure the consistent application of data protection rules throughout the European Union. The guidelines stating the GDPR’s territorial scope application have been published by the board, on the 16th of november 2018 .
The EDPB is composed of the representatives of the national data protection authorities and is charged to ensure the consistent application of data protection rules throughout the European Union, published on the 16th of november 2018 guidelines (3/2018) stating the GDPR’s territorial scope of application. This version has been redacted for public inspection.
The « Establishment » criterion
Firstly, regarding the « Establishment » criterion, the EDPB stresses that whether the data processor or the controller is established on the European Union territory : they must comply with the Regulation. This rule embodies the odd situation where a data processor is established on the European Union territory for data processing ,which is not targeting European individuals, on behalf of a controller located outside the Union.
The « targeting » criterion
Secondly, according to the « targeting » criterion, a controller or a processor must comply with the GDPR if his activity is targeting individuals on the European Union’s territory. The EDPB recommends a twofold approach by determining first if the data processing concerns European individuals, and secondly if it relates to the offering of goods, services or the monitoring of data subjects’ behaviour in the Union.
The other treated aspects
The EDPB also refines the comprehensiveness of the Regulation by illustrating other specific situations. For instance, the case in which a Member State’s law may apply by virtue of public international law to a processor or a controller established in a non-Union state. It has also examined the case, regarding the obligations and responsibilities of representatives of controllers and processors not located in the Union.