Guidelines on the territorial scope of the GDPR 

The EDPB published its finalised Guidelines 3/2018  on the territorial scope of the GDPR on 12 November 2019 (the “Guidelines”). The purpose of the Guidelines is to help controllers, processors and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR. Indeed, for the main criteria of Article 3 of the GDPR (the “establishment” and the “targeting” criteria), the EDPB developed an approach for determining whether or not the GDPR applies to a specific data processing activity. The Guidelines also provide some useful information regarding the (non-)designation of a representative for controllers or processors not established in the EU as well as its related obligations and responsibilities. 

The following observations can be made regarding the updated Guidelines: 

  • the application of Article 3 aims at determining whether a particular processing activity (on a processing-by-processing basis), rather than a (legal or natural) person falls within the scope of the GDPR. Therefore, for the same controller/processor, certain processing of personal data might fall within the scope of the GDPR, while other processing might not (we underline);
  • where a non-EU controller or processor ‘inadvertently or incidentally‘ targets its goods or services at a data subject located in the EU, such processing of personal data will not fall within the scope of the GDPR.
  • still on the targeting criterion, regarding processors not established in the EU, the EDPB specifies that their processing activities can fall within the scope of the GDPR if they are ‘related’ to the targeting activities of the controller. 
  • the EDPB emphasizes that the representative is not liable in place of the non-EU controller or processor that it represents. The representative’s direct liability is limited to its direct obligations referred to in Article 30 (record-keeping) and Article 58(1)(a) (respond to information requests from the supervisory authority) of the GDPR. The EDPB also specifies that the role of a representative in the EU is not compatible with the role of a Data Protection Officer.

This may also interest you :

Related expertise