Who does the GDPR apply to?

Who does the GDPR apply to?2019-08-18T11:05:03+00:00

Does the GDPR apply to your organisation? In this section you will find the information necessary to assess by yourself whether or not you need to comply with the European framework.

Related articles:

When does the GDPR apply to your data processing activities?

The GDPR applies to those data processing activities that fall within both the material scope of application and the territorial scope of application.

The processing will fall within the material scope of application when the data processed qualifies as personal, unless one of the exceptions of Article 2.2 applies.

On the other hand, the processing will fall under the territorial scope of application when:

  • you process personal data in the context of the activities of an establishment in the Union, or
  • with no establishment in the Union, you process personal data of data subjects that are in the Union, whether offering good or services or monitoring their behavior in the Union.

The territorial scope of application may be separated in 3 scenarios. The scenario 1, which covers companies and organisations with an establishment in the EU; the scenario 2, which comprises those companies that do not have  an establishment in the Union, and scenario 3, which considers cases where Member State Law applies by virtue of public international law, such as embassies or ships.

Material scope of application: processing of personal data

The GDPR applies to the processing of personal data carried out wholly or partly by automated means. It also applies to processing activities performed by non-automated means when the data form part or are intended to form part of a filing system.

Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

The key concept however it “personal data”. In a few words, the Regulation defines personal data as any information relating to a person which is identified or may be identified at a later time.

”Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of personal data excluded

Processing in the course of an activity which falls outside the scope of Union law

It includes processing operations that concern public security, defence and national security.

Processing by Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU

This covers processing activities related to the common foreign and security policy of the EU.

Processing carried out by a natural person in the course of a purely personal or household activity

This exemption covers those activities that are for purely personal or household purposes and therefore do not have any relation to professional or business activities. This is the case, for instance, of holding correspondence, keeping an address book or doing social networking and online related activities.

Where you process personal data with purely personal or household purposes you do not need to apply the GDPR.

However, the GDPR apply to controllers or processors that provide the means for individuals to process the personal for their personal or household activities.

Processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The reason behind this exemption rests on the Law Enforcement Data Protection Directive (LEDP), which is the law that covers these subjects and fills the gap.

Territorial scope of application 1. When a controller or processor with an establishment in the EU must comply with the GDPR

Article 3.1 of the GDPR establishes:

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Therefore, the GDPR applies to those data processing activities that you carry out in the context of the activities of an establishment in the Union.

“In the context of the activities” and “establishment” are terms which have been clarified by the CJEU and the European Data Protection Board and they are key to determine whether the projected data processing activities fall under the scope of application of the GDPR.

Step 1: Check whether you have an establishment in the Union

Recital 22 of the GDPR states that an “establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

The notion of establishment departs from the classical definition of commercial law whereby undertakings are established in the place they are registered or where they have their business. Conversely, it “extends to any real and effective activity — even a minimal one — exercised through stable arrangements.” (Weltimmo v NAIH, C-230/14, p.31).

And what it takes for an stable arrangement to exist? Not much actually. It might be sufficient, for instance, the presence of an agent in the country, or of an employee or a representative.

On Weltimmo v NAIH the Court argued that the following elements are capable of establishing the existence of an “establishment”:

  1. The appointment of a representative;
  2. The opening of a bank account;
  3. The use of a letter box.

Step 2: Check whether you process the data in the context of the activities of that establishment

Once you have verified that you process personal data and that you have an establishment or “stable arrangement” in the Union, you can proceed to check whether the data is processed in the context of the activities of that establishment.

Not every company with an establishment in the Union falls under the applicability of the GDPR. For the Regulation to apply, the activity carried out by the establishment in the Union must be inextricably linked to the activities of the company out of the EU.

The inextricable linkeability of the activities is a matter that must be assessed in a case by case basis. In the Google case, the CJEU stated that the activities of advertising space by the Google subsidiary were inextricably linked to the activities of search engine of the parent company Google Inc., since the former was necessary in order to render the search engine economically profitable and that engine was, at the same time, the means enabling those advertising activities to exist (vid. Google Spain SL, Google Inc. v. AEPD, Mario Costeja González, C-131/12, p. 56)

In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.

The economic profitability is a strong support to argue for the existence of an inextricable link. However, this is not the sole criteria and other may be appreciated in a case by case basis.

For the Regulation the nationality or the citizenship of data subjects are not relevant factors, nor is the place where the data is processed.

Finally, the mere existence of a relation controller-processor does not automatically trigger the obligations of the GDPR, specially when the controller is established outside of the EU and contracts a processor in the Union.

If you are a controller or processor, you need to apply the GDPR to those processing activities carried out in the context of the activities of an establishment in the Union.

Territorial scope of application 2. When an organization with no establishment in the EU must comply with the GDPR

If you process personal data and do not have an establishment in the UE, it is still possible that your processing activities fall under the GDPR and therefore you need to comply with the Regulation if you offer goods or services to data subjects in the Union or monitor their behaviour in the Union.

Article 3.2 of the GDPR states:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Step 1: Check whether you offer goods or services to data subjects in the Union

For this criterion to apply, you have to target individuals in the UE and offer them goods or services. The relevant factor is the “targeting” element; nationality or citizenship of data subjects are again not important.

To determine whether you direct the offer of goods or services to data subjects in the EU, it is necessary to evaluate if the different factors present in the service reveal the intention of directing the offer to a Member State of the EU.

According to Recital 23 of the GDPR, the mere accessibility of a website, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.

Conversely, “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

As the European Data Protection Board highlights, the elements present in Recital 23 are in line with the CJEU case law based on Regulation 44/2001 (Brussels I), therefore the decision held by the Court concerning the meaning of “direct activity” can be extended to determine whether a controller or processor offers goods or services to data subjects in the Union. Furthermore, it also stresses, without limitation, the following factors:

  • The designation of the EU or a Member State
  • Payment to a search engine to facilitate access to your site by consumers in the Union, or directing marketing and advertising campaigns at an EU country audience
  • The international nature of the activity
  • Mention of dedicated addresses or phone numbers to be reached from an EU country
  • The use of a top-level domain name other than that of the of the third country where the controller or processor is established
  • The description of travel instructions from a EU Member State to the place where the service is provided
  • Mention of clientele of the EU
  • The use of a language or currency other than that used in the trader’s country
  • Offering of delivery of goods in EU Member States

Where several of the above or other situations occur that bring you to conclude that you direct the offer of goods or services to one or more Member States of the EU and, in the context of that activity you process personal data, the GDPR will apply to that processing activity, regardless of where the equipment for processing the data is located or the third country you are established.

Finally, for this criterion to apply it is also irrelevant whether or not payment is requested or completed.

Step 2: Check whether you monitor their behavior in the Union

Recital 24 of the GDPR states:

The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.

In order to determine whether a processing activity monitors the behaviour of data subjects, the recital sets out that “it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

To give a few examples, the European Data Protection Board lists the following:

  • behavioural advertisement;
  • Geo-localisation activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalised diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioural studies based on individual profiles; or
  • Monitoring or regular reporting on an individual’s health status.

Territorial scope of application 3. Processing activities where Member State Law applies by virtue of public international law

Article 3.3 establishes that the GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

As Recital 25 highlights, that is the case of diplomatic mission or consular posts. The same can be extrapolated to ships and airplanes, which are governed by the law of the country where they are registered.

Frequently asked questions about who does the GDPR apply to

Absolutely. There is no exception for SMEs in the GDPR beyond the lifting of the obligation to keep a record of processing activities when the data processing activities entail no risks to data subjects and other conditions are met. Beyond that case, an small or medium sized business needs to apply the GDPR if the processing falls under its scope of application.

To the eyes of the GDPR, there is no difference between a self-employed individual or freelancer and a business. Therefore, a self-employed person do need to apply the GDPR to those data processing activities that fall within the Regulation’s scope of application.

The GDPR does not apply to individuals, as long as the data is being processed for purely personal or household purposes.

That is the case, for instance, of holding contact details of family and friends, or interacting and accessing personal data from other people on social networks.

As with any other entity, the government must also abide by the GDPR as so far as it processes personal data in the context of the activities of an establishment in the EU or, even if it does not have an establishment in the Union, it targets individuals in the Union offering them goods or services or monitoring their behaviour.

There might be specific requirements for administration bodies in the relevant national law.

The relevant element is not whether the relation is b2b or b2c, but whether personal data is being processed or not. If you transfer you client’s personal data to other company, or if you keep a file with personal identifiable information such as contact details of employees of that other company, you will be processing personal data.

As with any other organisation, the GDPR also applies to schools as so far as the school processes personal data in the context of the activities of an establishment in the EU or targets individuals in the Union, offering them goods or services or monitoring their behaviour.

For instance, if an school based on a third country like the US offers special programs which are specifically addressed to candidates from a EU Member State, it will need to apply the GDPR to these processing activities.

However, if the same school does not offer any special program to candidates from the EU but receives applications from data subjects from the EU, it will not need to apply the GDPR since the service is not directed to EU Member States.

The GDPR does not take consideration on the legal form of the entity or organisation, therefore it will also apply to charities as so far as the charity processes personal data in the context of an establishment in the EU or targets individuals in the Union, offering them goods or services or monitoring their behaviour.

The GDPR does not take consideration on the legal form of the entity or organisation, therefore it will also apply to clubs in the event it processes personal data in the context of the activities of an establishment in the EU or targets individuals in the Union, offering them goods or services or monitoring their behaviour.

As far as the UK is a Member State of the EU the GDPR will be part of their legislation. Once the UK is out of the EU, the GDPR will stop forming part of their Law and it will be replaced by a GDPR-like version from the UK government.

For more information about how the Brexit will affect the GDPR, I encourage accessing the guidelines from the ICO here.

On the other hand, the extraterritorial scope of the European GDPR will still affect businesses established in the UK in the event they have an establishment in the Union and process personal data in the context of the activities of that establishment, or, if they have no establishment in the Union, they offer goods or services to data subjects in the Union or monitor their behaviour.

No, unless the US company has an establishment in the Union and process personal data in the context of the activities of that establishment, or, if there is no establishment in the Union, it offers goods or services to data subjects in the Union or monitor their behaviour.

The scope of application of the GDPR is extraterritorial, which means it goes beyond the territory of the Union. As a result thereof, the GDPR will apply to data controllers or processors based on Australia provided they have an establishment in the Union and process personal data in the context of the activities of that establishment, or, if they have no establishment in the Union, they offer goods or services to data subjects in the Union or monitor their behaviour. If both criterions meet then that company or organisation will need to apply the GDPR.

The scope of application of the GDPR is extraterritorial, which means it goes beyond the territory of the Union. As a result thereof, the GDPR will apply to data controllers or processors based on Switzerland provided they have an establishment in the Union and process personal data in the context of the activities of that establishment, or, if they have no establishment in the Union, they offer goods or services to data subjects in the Union or monitor their behaviour. If both criterions meet then that company or organisation will need to apply the GDPR.

The scope of application of the GDPR is extraterritorial, which means it goes beyond the territory of the Union. As a result thereof, the GDPR will apply to data controllers or processors based on Canada provided they have an establishment in the Union and process personal data in the context of the activities of that establishment, or, if they have no establishment in the Union, they offer goods or services to data subjects in the Union or monitor their behaviour. If both criterions meet then that company or organisation will need to apply the GDPR.

Others also viewed…

Who does the GDPR apply to
GDPR representative in the EU. Personal data protection and privacy. European Union
GDPR data protection officer (DPO). When must be appointed, role, requirements, duties and salary
International data transfers. Transfers of data outside the EU
GDPR principles of data protection
Records of processing activities under the GDPR guidelines. Article 30. Templates and examples
special categories gdpr sensitive personal data
GDPR data subject rights
GDPR data protection impact assessment DPIA. Privacy
GDPR information security requirements and controls
GDPR fines and sanctions for breaching the law
GDPR and blockchain. Issues and solutions for ensuring compliance