December 3, 2018
The territorial scope of the GDPR is determined by Article 3.
The EDPB says that Article 3 of the GDPR reflects the legislature’s intention to ensure comprehensive protection of EU data subjects’ rights and to establish a level playing field across the EU in the context of worldwide data flows.
Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the “establishment” criterion as per Article 3(1), and the “targeting” criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data by the overseas controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing of data where Member State law applies.
The EDPB explains that the purpose of the Guidelines is to ensure consistent application of the GDPR when assessing whether the processing concerned falls within the scope of the new EU legal framework. The Guidelines set out and clarify the criteria for determining the application of the territorial scope of the GDPR.
Controllers or processors not established in the EU, but engaging in processing activities within Article 3(2), are required to designate a representative in the EU. The Guidelines provide clarification on the process involved and the representative’s responsibilities and obligations.
As a general principle, the EDPB says that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. The Guidelines specify the various scenarios that might arise, depending on the type of processing activities and the entity carrying out those processing activities or the location of such entities. The Guidelines also detail the provisions applicable to each situation.
The consultation is open until 18 January 2019. To access the Guidelines, click here.