The GDPR applies to the processing of personal data in the context of the activities carried out in the EU by controllers or processors established in the EU, regardless of whether the processing takes place in the EU or not).
The GDPR applies to the data processing under GDPR Article 3(2) if it is carried out by a controller or processor operating in the EU through stable arrangements, regardless of the legal form, and the processing is carried out in connection with its establishment in the EU.
The GDPR may apply to the processing of personal data by a controller who does not have an establishment in the EU, but the processing relates to the non-incidental offering of goods or services to natural persons residing in the EU (regardless of their nationality or legal status).
The GDPR may apply to the processing of personal data by a controller who does not have an establishment in the EU, but the processing involves the collection of personal data for the purpose of monitoring the behaviour of natural persons present in the EU, in particular for the purpose of making a subsequent decision concerning those persons or analysing/predicting their personal preferences, behaviours and attitudes.
What is the territorial scope of the GDPR?
In general, from a territorial point of view, the GDPR applies to the processing of personal data:
Carried out in the European Union by entities established in the European Union;
Carried out in connection with the activities of the controllers or processor’s establishment in the European Union, regardless of whether the processing takes place in the European Union;
In respect of natural persons residing in the European Union, by a controller or processor who does not have an establishment in the European Union, if the processing activities entail:
Offering goods or services to those data subjects in the European Union, whether or not they have to pay for them; or
The monitoring of the behaviour of those data subjects, provided that it takes place in the European Union;
Carried out by a controller who does not have an establishment in the European Union but has an establishment in a place where the law of a Member State is applicable under international public law.
Re 1: Processing of personal data in the EU by an entity established in the EU
The most common and obvious case in which the GDPR applies on territorial grounds is the case – which follows from the general principles of territorial application of law - where the GDPR applies to the processing of personal data in the European Union by entities established in the European Union.
Importantly, the GDPR applies to such processing, in principle, whether it concerns personal data of individuals residing inside or outside the European Union.
Re 2: Application of the GDPR to the processing of personal data carried out in connection with the activities of the establishment of the controller or processor in the EU
The GDPR will also apply to the processing of personal data where:
There is a controller or processor who has an establishment in the European Union and, at the same time;
That establishment processes personal data and the processing is carried out by the establishment in connection with the activities of the establishment in the European Union.
Importantly, in this situation, the GDPR applies regardless of the place of data processing and, in particular, regardless of whether, from a practical, technical or operational point of view, the actual processing of personal data takes place within the territory of the European Union or (even in its entirety) outside of the European Union.
When is there an establishment of a controller or processor in the European Union for the purposes of the GDPR?
Firstly, for this basis for territorial application of the GDPR to arise, we must be dealing with a controller or processor of personal data within the meaning of the GDPR (see the commentary on Article 4).
Secondly, such a controller or processor must have a so-called ‘establishment’ in the European Union within the meaning of the GDPR. The GDPR does not provide a legal definition of ‘establishment’, however, Recital 22 of the GDPR indicates that this concept implies the
effective and real exercise of an activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not decisive in this respect.
According to the aforementioned recital, the question of the stability of the arrangements used by the controller or processor to carry out business activities in the European Union is crucial when assessing the applicability of the GDPR on the basis of the premise in question. If the organisation of such activities is indeed carried out through arrangements that lack stability in the EU (e.g., ad hoc or incidental in nature), the GDPR will, generally, not apply to the processing of personal data carried out in connection with activities conducted through such arrangements. On the other hand, if the organisation of such activities is effectively carried out through stable arrangements in the EU, the GDPR may apply to the processing of personal data carried out in connection with the activities pursued through such arrangements.
The assessment of the degree of stability of the arrangements made to carry out for commercial activities in the European Union requires an analysis of the individual facts, taking into account the circumstances and context of each case. Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.0, 12 November 2019, published by the European Data Protection Board (EDPB), may be helpful in making such an assessment (“Guidelines on GDPR Article 3”).
According to the Guidelines on GDPR Article 3,
The threshold for a “stable arrangement” may in fact be quite low where the focus of a controller’s activities is the provision of online services. As a result, in some circumstances, the presence of a single employee or agent of a non-EU entity in the EU (constituting an “establishment” within the meaning of Article 3(1)) may be a sufficient to constitute a stable arrangement, if that employee or agent acts with a sufficient degree of stability.
In light of the above, there is therefore a strong case for confirming that a non-EU entity has an establishment in the European Union, for example, in a situation where it operates as an online portal and has an employee from the European Union to independently service the customers of that portal.
The Guidelines on GDPR Article 3 go on to say that
where an employee is based in the EU, but the processing is not carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to the controller’s activities outside the EU), the mere presence of an employee in the EU does not bring that processing within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not in itself sufficient to trigger the application of the GDPR, as the processing in question must also be carried out in the context of the activities of the EU-based employee in order to fall within the scope of the GDPR.
Returning to the example given in the paragraph above, if an EU employee of the operator of an online portal were to provide services to non-EU individuals, there would be grounds to argue that the GDPR does not apply to the processing of those individuals’ data (which does not, however, exclude the risk that the GDPR must apply to the processing of that employee's own personal data).
The Guidelines on GDPR Article 3 further state that,
although the concept of establishment is broad, it is not without limits. It cannot be concluded that the non-EU entity has an establishment in the Union merely because the entity’s website is accessible in the Union.
Returning to the previous example, if a website portal is accessible in the European Union but is not intended for persons from the European Union, the mere fact that the portal is accessible in the European Union would not be sufficient to assert that the portal operator has an establishment in the European Union and, therefore, that the processing of portal users' data is subject to the GDPR.
In summary, within the meaning of the GDPR, a controller or processor has a so-called 'establishment' in the European Union if it effectively and actually carries out its activities in the European Union through stable arrangements (i.e. in particular those that are not of an ad hoc or incidental nature), regardless of the legal form of those arrangements or the lack of legal form.
For the purposes of the GDPR, when is there a processing of personal data by an establishment in the European Union in connection with the activities of that establishment in the European Union?
For the GDPR to apply to the processing of personal data carried out by a controller’s or processor’s establishment in the European Union, the processing carried out by that establishment must be carried out in connection with the activities of that establishment in the European Union. This means that if an establishment of a non-EU entity processes personal data in connection with an activity other than the activities of that establishment in the European Union, and that other activity involves, for example, individuals outside the European Union, there will be grounds to argue that the GDPR does not apply to that processing.
In practice, it may be difficult to assess whether a particular data processing operation is carried out in connection with the activities of an establishment in the European Union. Similarly to the assessment of the existence of an establishment in the European Union, the analysis of whether an activity is carried out in connection with the activities of an establishment in the European Union requires an examination of individual facts on a case-by-case basis, taking into account the circumstances and context of the particular case. Important practical advice in this regard is provided by the Guidelines on GDPR Article 3, according to which,
in order to determine whether a controller or processor processes data in connection with their establishment in the EU, the following two factors should be taken into account:(i) the relationship between the controller or processor outside the Union and its local establishment in the Union and (ii) the generation of revenue in the Union.
With regard to the aforementioned relationship between a controller or processor outside the Union and their local establishment in the Union, the Guidelines on GDPR Article 3 state that
the data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, thereby triggering the applicability of EU law, even if that local establishment does not actually play any role in the data processing itself. If a case-by-case analysis of the facts shows that there is an inextricable link between the processing of personal data by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing.
It appears that the question of the existence of an “inextricable link” as referred to above should be examined taking into account, in particular, the subject matter of the activities of the controller and the EU establishment, as well as the nature of the formal and de facto links between them. In practice, this inextricable link will exist where the activities of the establishment in the EU are identical to the activities carried out by a EU controller or processor from outside the EU, or are completely functionally subordinate to the activities carried out by a non-EU controller or processor. Importantly, where it is established that there is an inextricable link between the data processing carried out by a non-EU controller or processor and activities carried out by its establishment in the EU, all such processing (i.e. carried out by both the establishment and the controller or processor) will, in principle, be subject to the provisions of the GDPR.
With regard to the generation of revenue in the European Union mentioned above, the Guidelines on GDPR Article 3 state that
the generation of revenue in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out ‘in the context of the activities of the EU establishment’, and may be sufficient to result in the application of EU law to such processing.
In summary, the GDPR applies to the processing based on GDPR Article 3(1) if that processing is carried out by a controller or processor who is involved in the effective and real exercise of activities in the European Union through stable arrangements (meaning, in particular, those that they are not ad hoc or incidental), regardless of the legal form of those arrangements or its lack (i.e. they have an ‘establishment’ in the EU) and, at the same time, the processing is carried out by the controller or processor in relation to its establishment in the EU and the existence of this relationship is to be assessed in light of the following criteria:
The nature of the relationship (i.e. whether it is functionally inseparable) between the controller or processor outside the EU and its local establishment in the EU;
Whether the establishment generates revenue in the EU and whether this fact can be ‘inextricably linked’ to the processing of personal data by a controller established outside the EU.
Re 3a: The application of the GDPR by virtue of the processing of personal data by a controller or processor that does not have an establishment in the EU, where the processing relates to individuals residing in the EU and involves the offering of goods or services to such individuals in the EU
The GDPR also applies to the processing of personal data where:
A controller or processor who does not have an establishment in the EU processes personal data relating to individuals residing in the EU and, at the same time;
The activities of such processing of personal data involve the offering of goods or services to such individuals in the European Union.
When can the processing of personal data be considered to be carried out by a controller or processor not established in the European Union?
For this basis of application of the GDPR to apply, firstly, it must be a controller or processor of personal data within the meaning of the GDPR - more on these concepts in the commentary on Article 4. Secondly, such a controller or processor must not have an ‘establishment’ in the European Union within the meaning of the GDPR (more on this concept above). In general, a controller or processor does not have an establishment in the European Union within the meaning of the GDPR if it does not exercise its activities in the European Union in an effective and real manner and through stable arrangements, regardless of the legal form of those arrangements (for example, it does not employ staff in the European Union or have a company or branch in a Member State of the European Union).
When can personal data processing activities carried out by a controller or processor not established in the European Union be considered to involve the offering of goods or services to persons in the European Union?
For the GDPR to apply to the processing of personal data by a controller or processor not established in the European Union, the processing must involve the offering of goods or services to persons in the European Union.
The GDPR does not define the term ‘offering goods or services’. It appears that the term should be understood in a colloquial way, i.e. that it refers to activities aimed at presenting an offer or an opportunity to a potential customer to purchase a particular good or service. Additional guidance is provided in Recital 23 of the GDPR, which states that
in order to determine whether such a controller or processor offers goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor intends to offer services to data subjects in one or more Member States of the Union. While the mere accessibility of the controller’s, processor’s or intermediary’s website in the Union, of an e-mail address or other contact details, or the use of a language commonly used in the third country where the controller is established, is not sufficient to ascertain such an intention, factors such as the use of a language or currency used in one or more Member States, with the possibility of ordering goods and services in that other language, or the mention of customers or users who are in the Union, may indicate that the controller intends to offer goods or services to data subjects in the Union.
The analysis of whether an activity constitutes “offering goods or services” to individuals in the European Union within the meaning of GDPR Article 3 requires an examination of the individual facts of each case, taking into account the circumstances and context of the case. The instructions provided in the Guidelines on GDPR Article 3 are helpful in this regard. The European Data Protection Board (EDPB) points out in the Guidelines that, in order to assess whether an activity constitutes an “offer of goods or services” to individuals in the European Union within the meaning of Article 3 GDPR, “a two-pronged approach is recommended in order to determine, first, whether the processing concerns personal data of data subjects residing in the Union and, second, whether the processing concerns an offer of goods or services (...)”.
When does processing concern personal data of individuals residing in the European Union?
The GDPR applies on the basis of GDPR Article 3(2) when the processing concerns individuals residing in the European Union (it is directed at individuals residing in the European Union). According to the Guidelines on GPR Article 3,
although the residence of the data subject in the Union is a determining factor for the application of the ‘targeting’ criterion under Article 3(2), the EDPB considers that the nationality or legal status of the data subject residing in the Union cannot limit the territorial scope of the Regulation.
At the same time, it is stated in the Guidelines on GDPR Article 3 that
therequirement that the data subject be present in the Union should be assessed at the time when the relevant initiating action takes place, i.e. when goods or services are offered.
The EDPS also points out in the Guidelines on GDPR Article 3 that
the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing does not relate to a specific offer made to individuals in the EU or to monitoring their behaviour in the Union.
When does the processing refer to offering goods or services?
The GDPR applies, based on GDPR Article 3(2), to data processing carried out in connection with the offering of goods or services by the controller to individuals residing in the European Union. In order to assess whether the processing in question is carried out for the purpose of offering goods or services to individuals residing in the European Union, it is necessary to examine the controller's intentions and purposes. In practice, such an assessment may prove difficult. The Guidelines on GDPR Article 3 recommend that the following factors should be taken into account in the examination, also taking into account the circumstances of the case:
The EU or at least one Member State is mentioned by name in relation to the goods or services offered;
The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
The international nature of the activity at issue, such as certain tourist activities;
The mention of dedicated addresses or phone numbers to be reached from an EU country;
The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
The description of travel instructions from one or more other EU Member States to the place where the service is provided;
The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member States;
The data controller offers the delivery of goods in EU Member States.
In summary, the processing of personal data in the context of offering goods or services, to which the GDPR may apply, may take place if it is carried out by a controller that does not have an establishment in the European Union and, at the same time, the processing concerns the non-incidental offering of goods or services to natural persons who are actually present in the European Union (regardless of their nationality or legal status).
Re 3b: The application of the GDPR to the processing of personal data by a controller or processor who does not have an establishment in the EU, concerning individuals residing in the EU and involving the monitoring of their behaviour in the EU
The GDPR also applies to the processing of personal data where:
Such processing is carried out by a controller or processor who does not have an establishment in the European Union, but the processing refers to individuals residing in the European Union and, at the same time;
The activities of such processing of personal data involve the monitoring of the behaviour of persons residing in the European Union.
Under what circumstances can the processing of personal data by a controller or processor not established in the European Union be considered to relate to individuals residing in the European Union?
As mentioned above, it can generally be assumed that:
The controller or processor does not have an establishment in the European Union within the meaning of the GDPR if it is not involved in an effective and real exercise of an activity in the European Union through stable arrangements, irrespective of the legal form of those arrangements or the lack thereof;
The processing relates to data subjects residing in the European Union, if the processing concerns individuals actually present in the territory of the European Union, regardless of the nationality or legal status of such individuals.
Under what circumstances can the processing of personal data be considered to involve the monitoring of the behaviour of individuals?
For the GDPR to apply to the processing of personal data carried out by a controller or processor that does not have an establishment in the European Union, the processing must involve the monitoring of the behaviour of individuals residing in the European Union.
The GDPR does not define the concept of “behavioural monitoring”. According to Recital 24 of the GDPR,
in order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects, it should be ascertained whether natural persons are followed on the Internet, including the possible subsequent use of personal data processing techniques which consist in profiling a natural person, in particular in order to make decisions concerning him or her or to analyse or predict his or her personal preferences, behaviours and attitudes.
The analysis of whether an activity constitutes “behavioural monitoring” requires a case-by-case examination of the individual facts, taking into account the circumstances and context of the case. The instructions provided in the Guidelines on GDPR Article 3 are helpful in this regard.
Crucially, the Guidelines on GDPR Article 3 indicate that:
when determining whether a processing activity can be considered as monitoring the behaviour of data subjects, tracking through other types of networks or technologies where personal data is processed [not only on the Internet - author's note], for example through wearable and other smart devices, should also be taken into account.
Nevertheless, the Guidelines on GDPR Article 3 emphasise that the purpose of the processing operation as envisaged by the controller is crucial in assessing whether there is ‘behavioural monitoring’ within the meaning of the GDPR in a particular case.
However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.
At the same time, the Guidelines on GDPR Article 3 indicate that if the controller’s purpose is indeed to monitor behaviour, the GDPR may apply to monitoring carried out in the context of a variety of activities, including behavioural advertising, geo-localisation activities (in particular for marketing purposes), online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalised online diet and health analysis services, CCTV, market research and other behavioural research based on individual profiles, monitoring or periodic reporting on an individual's health status.
In summary, data processing in the context of behavioural monitoring, to which the GDPR may apply, may take place when carried out by a controller that does not have an establishment in the European Union and at the same time:
Such processing involves the collection of personal data (in particular via the Internet or other electronic means) for the purpose (as intended by the controller) of monitoring the behaviour of data subjects, in particular for the purpose of taking a subsequent decision concerning those data subjects or analysing or predicting their personal preferences, behaviours and attitudes; and
The processing relates to a natural person who is physically present in the territory of the European Union (regardless of his or her nationality or legal status).
Re 4: The application of the GDPR due to the fact that the processing of personal data is carried out by a controller that does not have an establishment in the EU, but has an establishment in a place where, under international law, the law of a Member State applies
The GDPR also applies to the relatively rare situations where:
We are dealing with a controller who does not have an establishment in the European Union but has an establishment in a place where, under public international law, the law of a Member State of the European Union applies, and at the same time;
This controller processes personal data.
From the point of view of the private sector, the aforementioned premise for the application of the GDPR is of little practical relevance, as it mainly applies to, inter alia, embassies, consulates, seagoing vessels or aircraft (for example, see M. Czerniawski [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa and D. Lubasz [ed.], Warsaw 2018, Article 3:
Article 3(3) of Regulation 2016/679 is the equivalent of Article 4(1)(b) of Directive 95/46/EC and has little practical relevance as it governs the application of EU data protection rules to, inter alia, embassies, consulates, seagoing vessels or aircraft.
Commentary on art. 3
Territorial Scope
What is the territorial scope of the GDPR?
In general, from a territorial point of view, the GDPR applies to the processing of personal data:
Re 1: Processing of personal data in the EU by an entity established in the EU
The most common and obvious case in which the GDPR applies on territorial grounds is the case – which follows from the general principles of territorial application of law - where the GDPR applies to the processing of personal data in the European Union by entities established in the European Union.
Importantly, the GDPR applies to such processing, in principle, whether it concerns personal data of individuals residing inside or outside the European Union.
Re 2: Application of the GDPR to the processing of personal data carried out in connection with the activities of the establishment of the controller or processor in the EU
The GDPR will also apply to the processing of personal data where:
Importantly, in this situation, the GDPR applies regardless of the place of data processing and, in particular, regardless of whether, from a practical, technical or operational point of view, the actual processing of personal data takes place within the territory of the European Union or (even in its entirety) outside of the European Union.
When is there an establishment of a controller or processor in the European Union for the purposes of the GDPR?
Firstly, for this basis for territorial application of the GDPR to arise, we must be dealing with a controller or processor of personal data within the meaning of the GDPR (see the commentary on Article 4).
Secondly, such a controller or processor must have a so-called ‘establishment’ in the European Union within the meaning of the GDPR. The GDPR does not provide a legal definition of ‘establishment’, however, Recital 22 of the GDPR indicates that this concept implies the
According to the aforementioned recital, the question of the stability of the arrangements used by the controller or processor to carry out business activities in the European Union is crucial when assessing the applicability of the GDPR on the basis of the premise in question. If the organisation of such activities is indeed carried out through arrangements that lack stability in the EU (e.g., ad hoc or incidental in nature), the GDPR will, generally, not apply to the processing of personal data carried out in connection with activities conducted through such arrangements. On the other hand, if the organisation of such activities is effectively carried out through stable arrangements in the EU, the GDPR may apply to the processing of personal data carried out in connection with the activities pursued through such arrangements.
The assessment of the degree of stability of the arrangements made to carry out for commercial activities in the European Union requires an analysis of the individual facts, taking into account the circumstances and context of each case. Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.0, 12 November 2019, published by the European Data Protection Board (EDPB), may be helpful in making such an assessment (“Guidelines on GDPR Article 3”).
According to the Guidelines on GDPR Article 3,
In light of the above, there is therefore a strong case for confirming that a non-EU entity has an establishment in the European Union, for example, in a situation where it operates as an online portal and has an employee from the European Union to independently service the customers of that portal.
The Guidelines on GDPR Article 3 go on to say that
Returning to the example given in the paragraph above, if an EU employee of the operator of an online portal were to provide services to non-EU individuals, there would be grounds to argue that the GDPR does not apply to the processing of those individuals’ data (which does not, however, exclude the risk that the GDPR must apply to the processing of that employee's own personal data).
The Guidelines on GDPR Article 3 further state that,
Returning to the previous example, if a website portal is accessible in the European Union but is not intended for persons from the European Union, the mere fact that the portal is accessible in the European Union would not be sufficient to assert that the portal operator has an establishment in the European Union and, therefore, that the processing of portal users' data is subject to the GDPR.
In summary, within the meaning of the GDPR, a controller or processor has a so-called 'establishment' in the European Union if it effectively and actually carries out its activities in the European Union through stable arrangements (i.e. in particular those that are not of an ad hoc or incidental nature), regardless of the legal form of those arrangements or the lack of legal form.
For the purposes of the GDPR, when is there a processing of personal data by an establishment in the European Union in connection with the activities of that establishment in the European Union?
For the GDPR to apply to the processing of personal data carried out by a controller’s or processor’s establishment in the European Union, the processing carried out by that establishment must be carried out in connection with the activities of that establishment in the European Union. This means that if an establishment of a non-EU entity processes personal data in connection with an activity other than the activities of that establishment in the European Union, and that other activity involves, for example, individuals outside the European Union, there will be grounds to argue that the GDPR does not apply to that processing.
In practice, it may be difficult to assess whether a particular data processing operation is carried out in connection with the activities of an establishment in the European Union. Similarly to the assessment of the existence of an establishment in the European Union, the analysis of whether an activity is carried out in connection with the activities of an establishment in the European Union requires an examination of individual facts on a case-by-case basis, taking into account the circumstances and context of the particular case. Important practical advice in this regard is provided by the Guidelines on GDPR Article 3, according to which,
With regard to the aforementioned relationship between a controller or processor outside the Union and their local establishment in the Union, the Guidelines on GDPR Article 3 state that
It appears that the question of the existence of an “inextricable link” as referred to above should be examined taking into account, in particular, the subject matter of the activities of the controller and the EU establishment, as well as the nature of the formal and de facto links between them. In practice, this inextricable link will exist where the activities of the establishment in the EU are identical to the activities carried out by a EU controller or processor from outside the EU, or are completely functionally subordinate to the activities carried out by a non-EU controller or processor. Importantly, where it is established that there is an inextricable link between the data processing carried out by a non-EU controller or processor and activities carried out by its establishment in the EU, all such processing (i.e. carried out by both the establishment and the controller or processor) will, in principle, be subject to the provisions of the GDPR.
With regard to the generation of revenue in the European Union mentioned above, the Guidelines on GDPR Article 3 state that
In summary, the GDPR applies to the processing based on GDPR Article 3(1) if that processing is carried out by a controller or processor who is involved in the effective and real exercise of activities in the European Union through stable arrangements (meaning, in particular, those that they are not ad hoc or incidental), regardless of the legal form of those arrangements or its lack (i.e. they have an ‘establishment’ in the EU) and, at the same time, the processing is carried out by the controller or processor in relation to its establishment in the EU and the existence of this relationship is to be assessed in light of the following criteria:
Re 3a: The application of the GDPR by virtue of the processing of personal data by a controller or processor that does not have an establishment in the EU, where the processing relates to individuals residing in the EU and involves the offering of goods or services to such individuals in the EU
The GDPR also applies to the processing of personal data where:
When can the processing of personal data be considered to be carried out by a controller or processor not established in the European Union?
For this basis of application of the GDPR to apply, firstly, it must be a controller or processor of personal data within the meaning of the GDPR - more on these concepts in the commentary on Article 4. Secondly, such a controller or processor must not have an ‘establishment’ in the European Union within the meaning of the GDPR (more on this concept above). In general, a controller or processor does not have an establishment in the European Union within the meaning of the GDPR if it does not exercise its activities in the European Union in an effective and real manner and through stable arrangements, regardless of the legal form of those arrangements (for example, it does not employ staff in the European Union or have a company or branch in a Member State of the European Union).
When can personal data processing activities carried out by a controller or processor not established in the European Union be considered to involve the offering of goods or services to persons in the European Union?
For the GDPR to apply to the processing of personal data by a controller or processor not established in the European Union, the processing must involve the offering of goods or services to persons in the European Union.
The GDPR does not define the term ‘offering goods or services’. It appears that the term should be understood in a colloquial way, i.e. that it refers to activities aimed at presenting an offer or an opportunity to a potential customer to purchase a particular good or service. Additional guidance is provided in Recital 23 of the GDPR, which states that
The analysis of whether an activity constitutes “offering goods or services” to individuals in the European Union within the meaning of GDPR Article 3 requires an examination of the individual facts of each case, taking into account the circumstances and context of the case. The instructions provided in the Guidelines on GDPR Article 3 are helpful in this regard. The European Data Protection Board (EDPB) points out in the Guidelines that, in order to assess whether an activity constitutes an “offer of goods or services” to individuals in the European Union within the meaning of Article 3 GDPR, “a two-pronged approach is recommended in order to determine, first, whether the processing concerns personal data of data subjects residing in the Union and, second, whether the processing concerns an offer of goods or services (...)”.
When does processing concern personal data of individuals residing in the European Union?
The GDPR applies on the basis of GDPR Article 3(2) when the processing concerns individuals residing in the European Union (it is directed at individuals residing in the European Union). According to the Guidelines on GPR Article 3,
At the same time, it is stated in the Guidelines on GDPR Article 3 that
The EDPS also points out in the Guidelines on GDPR Article 3 that
When does the processing refer to offering goods or services?
The GDPR applies, based on GDPR Article 3(2), to data processing carried out in connection with the offering of goods or services by the controller to individuals residing in the European Union. In order to assess whether the processing in question is carried out for the purpose of offering goods or services to individuals residing in the European Union, it is necessary to examine the controller's intentions and purposes. In practice, such an assessment may prove difficult. The Guidelines on GDPR Article 3 recommend that the following factors should be taken into account in the examination, also taking into account the circumstances of the case:
In summary, the processing of personal data in the context of offering goods or services, to which the GDPR may apply, may take place if it is carried out by a controller that does not have an establishment in the European Union and, at the same time, the processing concerns the non-incidental offering of goods or services to natural persons who are actually present in the European Union (regardless of their nationality or legal status).
Re 3b: The application of the GDPR to the processing of personal data by a controller or processor who does not have an establishment in the EU, concerning individuals residing in the EU and involving the monitoring of their behaviour in the EU
The GDPR also applies to the processing of personal data where:
Under what circumstances can the processing of personal data by a controller or processor not established in the European Union be considered to relate to individuals residing in the European Union?
As mentioned above, it can generally be assumed that:
Under what circumstances can the processing of personal data be considered to involve the monitoring of the behaviour of individuals?
For the GDPR to apply to the processing of personal data carried out by a controller or processor that does not have an establishment in the European Union, the processing must involve the monitoring of the behaviour of individuals residing in the European Union.
The GDPR does not define the concept of “behavioural monitoring”. According to Recital 24 of the GDPR,
The analysis of whether an activity constitutes “behavioural monitoring” requires a case-by-case examination of the individual facts, taking into account the circumstances and context of the case. The instructions provided in the Guidelines on GDPR Article 3 are helpful in this regard.
Crucially, the Guidelines on GDPR Article 3 indicate that:
Nevertheless, the Guidelines on GDPR Article 3 emphasise that the purpose of the processing operation as envisaged by the controller is crucial in assessing whether there is ‘behavioural monitoring’ within the meaning of the GDPR in a particular case.
At the same time, the Guidelines on GDPR Article 3 indicate that if the controller’s purpose is indeed to monitor behaviour, the GDPR may apply to monitoring carried out in the context of a variety of activities, including behavioural advertising, geo-localisation activities (in particular for marketing purposes), online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalised online diet and health analysis services, CCTV, market research and other behavioural research based on individual profiles, monitoring or periodic reporting on an individual's health status.
In summary, data processing in the context of behavioural monitoring, to which the GDPR may apply, may take place when carried out by a controller that does not have an establishment in the European Union and at the same time:
Re 4: The application of the GDPR due to the fact that the processing of personal data is carried out by a controller that does not have an establishment in the EU, but has an establishment in a place where, under international law, the law of a Member State applies
The GDPR also applies to the relatively rare situations where:
From the point of view of the private sector, the aforementioned premise for the application of the GDPR is of little practical relevance, as it mainly applies to, inter alia, embassies, consulates, seagoing vessels or aircraft (for example, see M. Czerniawski [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa and D. Lubasz [ed.], Warsaw 2018, Article 3: