Who is entitled to assert the GDPR’s data subject rights? Against whom? This article provides a brief overview of the territorial scope of the GDPR.
What is the GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) is a European law that came into force in 2016. The GDPR is a regulation and as such applies generally and directly to all EU member states (pursuant to Article 288 (2) TFEU). In contrast to directives, the GDPR has effects on all member states without the need for implementation into national law. It has been applicable to all EU member states since May 25, 2018.
The GDPR ensures the harmonisation and equal standards of data protection law between the member states. It also allows them to deviate from certain provisions through so-called opening clauses. This gives the EU member states their own regulatory leeway and the possibility of concretising the GDPR by adapting and modifying the provisions to their own national law.
Territorial scope of the GDPR
The territorial scope of the GDPR is established in Article 3 GDPR and has not only territorial but also extraterritorial effects. Furthermore, the GDPR provides for uniform rules between companies located inside and outside Europe. The following is stipulated:
Establishment principle (paragraph 1)
This principle covers personal data that is processed by the activities of a branch of the controller or processor within the Union. For example, the GDPR applies if a company based outside Europe has a branch in Europe and processes data. An establishment is a fixed presence that carries out an effective and real activity. Thus, simply having a mailbox address or the website of a company located outside the EU being accessed is not sufficient. The legal structure of the establishment is irrelevant.
It also covers the processing of data of data subjects who are not in the EU (third countries). This means that the GDPR is also applicable if a customer lives outside the Union (and possibly has no relationship with the EU) and their data is processed by a branch in the Union.
Lex loci solutionis—protection in case of data processing outside the EU (paragraph 2)
However, the application of the GDPR also extends to controllers and processors in non-EU countries (third countries). These companies must appoint a representative in the EU.
According to the law of the place of performance (lex loci solutionis), the GDPR applies if personal data of a data subject located in the EU is deliberately processed by an organisation located outside Europe and the processing is related to the offering of goods or services. It does not matter whether these are paid for or free of charge (Article 3(2)(a) GDPR), such as advertising-financed business models. The offer has to be “obviously deliberate”, though. It is not sufficient, for example, for the website of a company to be in a certain language.
Furthermore, the GDPR is not applicable either if the data is passed through or processed by a router in the Union without knowledge (mere data traffic).
The nationality of the data subject is not to be taken into account, but rather their place of residence. Processing of personal data is not covered by the GDPR if the data subject (EU citizen or citizen of a third country) does not have a residence or domicile in the EU. However, citizens of third countries who are permanently or temporarily resident in the Union at the time of processing are also protected. If an EU citizen is outside the Union for any reason and their personal data is then processed by a controller or processor in a third country, the GDPR is not applied.
Moreover, the GDPR is also applicable in the case of the targeted monitoring of the behaviour of a data subject in the EU by a non-EU established controller or processor. This applies, for example, to the monitoring of internet activities using cookies, browser fingerprinting, social plug-ins, profiling, etc. The reason for the monitoring is irrelevant.
Principle of application on the basis of international law (paragraph 3)
This principle applies to establishments which under international law are subject to the law of the member states, in particular consulates or diplomatic missions, ships, aircraft, data processing by diplomats, etc.
A change in the territorial scope of application of the GDPR is not contractually possible, unless a member state has the option of concretising the GDPR through its own national law on the basis of an opening clause. In this case, the national law is applicable.
- Paal/Pauly/Ernst DS-GVO Art. 3 Rn 1-21.
- Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht 1st edition 2019 | DSGVO Art. 3 Rn. 1-70.