Does the GDPR apply to every (legal or natural) person on the planet?
No.
As with other laws and regulations, the GDPR only applies to situations falling under its territorial scope.
In this installment of our guide, we’ll break down the territorial scope of the Regulation as clearly and thoroughly as possible, analyzing the three different criteria set forth by Article 3.
Spoiler alert: the GDPR might apply to you even if you’re not based in the EU.
GDPR & Territorial Scope: Article 3(1), the “Establishment” Criterion
According to Article 3(1), GDPR:
«This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.»
The clause is a bit convoluted (understatement), but the principle underpinning it is simple:
If you have an establishment in the EU, the GDPR applies to all data processing activities carried out in relation to that establishment (regardless of where the processing occurs).
What’s not that simple, on the other hand, is assessing whether you have an establishment or not.
GDPR & Territorial Scope: What’s an “establishment”?
In 2019 the EDPB (a.k.a. the European Data Protection Board, the independent European body tasked with ensuring consistent application of the GDPR) issued its “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – version adopted after public consultation.”
In the guidelines, the Board dealt in depth with the “establishment” notion. According to the EDPB:
«[…] the GDPR does not provide a definition of “establishment” for the purpose of Article 3 . However, Recital 22 clarifies that an “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”»
To sum it up: An establishment is “something” (it can be a company or organization’s branch, but it can be way less than that) operating in the EU through stable arrangements. The legal form doesn’t matter.
What does that mean in practice?
If you are a natural person and live in the EU or represent a legal person whose registered office is in the EU, you have an establishment in the Union.
If you run a non-EU company, but that company has a branch or a subsidiary with legal personality in the EU, you have an establishment in the Union.
So far, so good.
But since the legal form doesn’t matter, you could have an establishment in the Union even if it doesn’t have a legal personality – so far as it operates through “stable arrangements.”
Indeed, the guidelines go on to add:
«The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law.»
In particular:
«The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability.»
Whether a particular arrangement qualifies as “stable” (thus triggering the applicability of the GDPR) has to be ascertained on a case-by-case basis. If you are in doubt, consult with a lawyer.
GDPR & Territorial Scope: “In the Context of the Activities”
Not all data processing operated by an entity having an EU-based establishment has to comply with the GDPR.
According to Article 3(1), the Regulation only applies to the processing of personal data “in the context of the activities” of the EU-based establishment.
The formula is a bit fuzzy – and deliberately so, as the GDPR’s drafters didn’t want the provision to be too limited.
Even the EDPB’s guidelines are somewhat vague. According to the Board, determining when processing happens in the context of the activities of the establishment should be done “on a case-by-case basis and based on an analysis in concreto.”
The EDPB, however, explained that “in the context of the activities of the establishment” doesn’t mean “by the establishment.” As a result, some data processing activities could be covered by the Regulation even if the EU-based establishment does not perform them.
According to the Board, two factors must be taken into account to determine whether data processing is carried out “in the context of the activities” of the establishment:
- The relationship between a data controller outside the Union and its local establishment in the Union, and
- The (eventual) revenue-raising in the Union.
In both cases, if there is what the Board calls “an inextricable link” between the activities of the establishment and the processing, the latter will fall under the GDPR’s scope.
Is it easy to determine when a link is “inextricable”?
Nope.
Again, this is one of those areas where you’d want to seek legal advice.
GDPR & Territorial Scope: Article 3(2), the “Target” Criterion
Let’s assume you don’t have anything even remotely resembling an “establishment” in the EU. What then?
Well, the GDPR might still apply to you by virtue of Article 3(2), according to which:
«This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.»
Translated from legalese, this provision means that the GDPR will apply in two cases:
Case 1:
- You offer goods or services
- To a data subject in the EU.
Case 2:
- You monitor the behavior
- Of a data subject in the EU
- And said behavior takes place in the EU.
GDPR & Territorial Scope: Offering Goods or Services to People in the EU
As a general rule, if you offer services or goods to people in the EU (even if you provide them for free), you fall under the territorial scope of the GDPR.
Before you panic or curse the EU, keep in mind that the EDPB has clarified that merely having a product or service available to EU-based individuals does not amount to “offering.”
Building on the wording of Recital 23, GDPR, the EDPB highlighted that the “offer” must be intentional. In the Board’s own words, «when goods or services are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the territorial scope of the GDPR.»
Whether an offer is taking place (thus triggering the applicability of the GDPR) is something that should be established – you guessed it – on a case-by-case basis.
However, in its guidelines, the EDPB has listed several elements that could be evaluated (sometimes in connection with one another) to figure out if the data controller is “offering goods or services to people in the EU.”
If you’re still in doubt, first, we feel you, and second:
GDPR & Territorial Scope: Monitoring the Behavior of People in the EU
The GDPR will apply to you regardless of your location if you monitor the behavior of EU-based data subjects.
The Regulation doesn’t explicitly define “monitoring.” But we can infer from Recital 24 that monitoring occurs when “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
In its guidelines, the EDPB has further expanded on the definition. Although Recital 24 only mentions tracking on the internet, the Board maintains that tracking through other types of network or technology should also count as monitoring.
At the same time, however, the Board stressed that not all online collection or analysis of personal data of individuals should automatically be considered “monitoring.” Instead, it’s necessary to consider why controllers processed the data and, in particular, whether they carried out behavioral analysis or employed profiling techniques.
The EDPB went on to list examples of monitoring activities. Those include:
- Behavioral advertisement
- Geo-localization activities, in particular for marketing purposes
- Online tracking through the use of cookies or other tracking techniques such as fingerprinting
- Personalized diet and health analytics services online
- CCTV
- Market surveys and other behavioral studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status.
The list is not exhaustive, so consult with a lawyer if you’re still in doubt (yeah, we sound like a broken record).
GDPR & Territorial Scope: Data Subject in the EU
In referring to people who get offered goods or services or whose behavior gets monitored, we’ve always talked about people in the EU – and not EU citizens.
Article 3(2) focuses on physical presence: neither citizenship nor other legal statuses matter as long as the person is in the EU.
However, not every kind of physical presence is created equal. The EDBP has clarified in its guidelines that for the GDPR to apply, the data processor must deliberately and intentionally target individuals knowing they are in the EU.
Conversely, the processing of an EU citizen’s personal data might not fall under the GDPR when said person is abroad, even if products/services are offered, or behavior is monitored.
GDPR & Territorial Scope: Article 3(3), Places Where Member State Law Applies
We have two pieces of good news: first, this criterion is probably the most straightforward among the ones we’ve examined, and second, it’s unlikely you’ll have to worry about it anyway.
Article 3(3) provides that
«This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.»
The provision has a fairly limited scope: it applies to data processing carried out by Member States’ embassies and consulates located outside the EU.
That’s it.
GDPR & Territorial Scope: the Takeaway
Do not assume that, just because you don’t live in Europe, the GDPR is something you can happily forget about. This might be a common misconception, but it’s a misconception nevertheless.
The GDPR applies to everyone who
- Has an establishment in the EU
- Offers goods or services to people in the EU
- Monitors the behavior of people in the EU, or
- Operates in a place where Member State law applies by virtue of international law.
Though the latter case is unlikely to affect you, it may be worth checking if you fall into one of the other categories.
And if you do, you might want to start learning more about the GDPR – and looking for GDPR-compliant solutions.