Selen Özkan
Legal Intern
Territorial Scope of GDPR for Non-EU Companies
General Data Protection Regulation (“GDPR”) has entered into force May 25, 2018. Article 3 of the GDPR determines territorial principle of the GDPR and it could be the most controversial provision of the GDPR. In this context, the European Data Protection Board published the Guidelines 3/2018 on the territorial scope of the GDPR on November 16, 2018 (“Guideline”). Article 3(1) of GDPR states that “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” This provision considers “establishment” criterion of application. Article 3(2) of GDPR provides the situation in which the GDPR applies to a data controller or data processor not established in the Union. This provision is based on the “targeting” criterion.[1]
The Establishment Criterion of Article 3(1)
Article 3(1) provides that GDPR applies to the personal data processing by the data controller or processor which is conducted in the context of the activities of an establishment in the Union even the processing is outside the EU. It is first consideration is “an establishment in the Union”. Recital 22 of the GDPR clarifies the establishment: “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”.[2] According to Recital 22, any activities even if performed by one employee or agent can be exercised through stable arrangement. For instance, a car manufacturing company with headquarters in the US has a branch and office located in Brussels to conduct marketing and advertisement activities. The Belgian branch can be considered to be a stable arrangement, which exercises real and effective activities in light of the nature of the economic activity carried out by the car manufacturing company. As a result the Belgian branch could be considered as an establishment in the Union, within the meaning of the GDPR.[3]
The Court of Justice of European Union's ("CJEU") held two significant decisions on the territorial scope based on "establishment" criterion. The first one is Google Spain Decision where Google Inc. is a company based United States. However, Google carries out personal data processing in the EU via Google Spain.[4] Even though the headquarters of Google Spain is outside the EU because of inextricably linked to Google Inc. the EU law can be applicable for Google Spain. The second decision is Weltimmo case. According to this decision having one representative in the EU who is conducting a sufficient degree of stability for provision of specific services of a company based outside of EU can be considered constitute a stable arrangement and therefore EU legislation can be applied to a representative.[5] According to Guideline, the inextricable link is considered case by case and if there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller, GDPR will be apply that processing activities even the EU establishment does not have any role.
As a result, a company which based in the Turkey has a representative or agent in the EU which processes the personal data and if it is determined a inextricable link between processing activities in the EU and the Turkish company, the company in Turkey can be subject to GDPR.
The Targeting Criterion of Article 3(2)
According to Article 3(2), data controller or processor could be subject to GDPR even though they are not established in the EU. Such Article states that "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union." Article 3(2) may be regarded as it extends the scope of GDPR application and power due to applicability of the GDPR to a data controller or processor who is not established in EU but targets the EU residents.
Data subject of processing personal data shall be a natural person and EU resident in order to apply GDPR. It is not based the citizenship but residence criterion. Briefly, if processing of personal data activities which is offering goods and services or monitoring the data subjects targets the EU residents, the controller or processor can be subject to GDPR even though their establishment is in the outside EU.
According to Guideline, targeting criterion towards data subjects of personal data processing activities who is in the EU during the related processing activities takes places.[6] However, personal data subjects in the EU but absence the targeting data subjects in the EU, is not adequate for GDPR to be have power and applicable. For instance, U.S citizens downloads an app which is offered by U.S. company while their Europe holiday, this processing activities is not subject to GDPR since the app is directed the U.S. markets and there is no targeting element.[7]
In addition to this, Recital 23 states that "mere accessibility of controller's, processor's or an intermediary's website in the union, of an e-mail address or of other contact details, or use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods and services to data subjects in the Union”. To illustrate, a website which is controlled by Turkish company provides services editing, printing and shipping photos to EU countries, also this website is available for such member state language such as French, Dutch etc. and payments is made only in Euros and Sterling. Therefore, it is clear that this processing activities may be subject to GDPR.[8]
Consequently, a Turkish company which specifically targets the EU residents by offering good and services and monitoring and data subjects of processing activities in the EU at the moment of such activities, will be under to data protection of GDPR.
Conclusion
Territory scope of GDPR is one of the most significant and controversial issue due to its ambiguous. It is not clarified in the GDPR enough therefore; the Guideline needs to explain Article 3 with examples. However, it should be noted that the guidelines or recitals are non-binding sources, they only provide the interpretation of provisions.
As a result, according to Article 3, a company which is outside of EU shall be comply with GDPR, if a company has a representative which has a stable arrangement activity in the EU and/or establishment (agent, branch etc.) whose activities have inextricable link with non-EU company in the EU.
In addition to this, if the non-EU company targets the EU residents according to criterions of Recital 23, then such company shall comply with GDPR due to targeting criterion of Article 3. Therefore, a company which will reach the EU result of its activities, shall consider the compatibility of the GDPR primarily.
[1] General Data Protection Regulation, May 25, 2018.
[2] Recital 22 of the GDPR: “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
[3] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version for public consultation Adopted on 16 November 2018
[4] CJEU, Google Spain, Case C 131/12
[5] CJEU 1 October 2015, C-230/14 (Weltimmo), para. 30.
[6] Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 13
[7] Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14
[8] Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 16