Privacy & Information Security Law Blog: EDPB Publishes Guidelines On Extraterritorial Application Of The GDPR

On November 23, 2018, the European Data Protection Board ("EDPB") published its long-awaited draft guidelines on the extraterritorial application of the EU General Data Protection Regulation ("GDPR") (the "Guidelines"). To date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR's application outside of the EU. While the Guidelines provide some clarity on this issue, questions will remain for non-EU controllers and processors. Importantly, these Guidelines are only in draft form and are open for consultation until January 18, 2019, which will give organizations an opportunity to provide comments and raise additional questions in an effort to obtain further clarification from the EDPB on these important scoping questions.

Under Article 3 of the GDPR, the law applies to organizations that process personal data in three circumstances:

When a controller or processor is established in the EU and processes personal data in the context of the activities of that establishment; When a controller or processor is not established in the EU but processes personal data relating to the offering of goods or services to individuals in the EU; or When a controller or processor is not established in the EU but monitors the behavior of individuals in the EU. Given the extensive obligations imposed by the GDPR and the onerous enforcement regime, global organizations have been rightly focused on how their own data processing activities may (or may not) fit within the scope of Article 3. While the Guidelines do not resolve all of these questions, they do provide some clarity. We have summarized and assessed the key aspects of the Guidelines below.

For controllers and processors that are located in the EU, the Guidelines reiterate that the GDPR applies to the processing of personal data by those EU establishments regarding all data subjects, regardless of their location or nationality. For example, the processing of personal data by a French controller relating to customers in the U.S. is subject to the GDPR. As a practical matter, this means that the GDPR will apply in full with respect to this processing, including with respect to data subject rights available under the GDPR, which in this hypothetical would be conferred upon the controller's customers in the U.S. A non-EU controller that is not otherwise subject to the GDPR will not become subject to the GDPR merely because a data processor located in the EU processes...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT