EDPB draft guidelines on the territorial scope of the GDPR

On 23 November 2018, the European Data Protection Board (EDPB) issued draft guidelines (Guidelines) on the extraterritorial scope of the General Data Protection Regulation (GDPR).

The purported extraterritorial scope of the GDPR has been a source of worry to many businesses, particularly those outside the EU. The Guidelines, which are still under review, will aim to clarify the extraterritoriality criteria and help organisations assess whether the GDPR applies to them.

But what have the Guidelines clarified so far, and what remains unclear?

Article 3(1) GDPR

Article 3(1) sets out that the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union of not”.

The Guidelines provide some clarification of the two key terms used in Article 3(1):

  1. “Establishment” in the EU

The Guidelines reiterate the existing position, which is that there is a low threshold for having an establishment in the EU. An establishment can be a branch or office. The presence of a single agent of the non-EU entity in the EU could even be sufficient.

Importantly, however, the Guidelines clarify that a non-EU entity will not have an establishment in the EU merely because it uses an EU data processor. This will bring some relief to EU-based processors with a global customer base.

However, EU-based data processors are still required to comply with the relevant GDPR provisions (such as entering into processing contracts), which may place them at a disadvantage against non-EU data processors. Also, it is unclear how EU-based processors are supposed to comply with their GDPR obligations in this situation. For example, the GDPR prohibits transfers of personal data to countries outside the EU unless certain safeguards are in place. This means that processors can accept data from a data controller outside the EU, but cannot transfer it back to the data controller without putting safeguards in place; and there is no obvious safeguard available in this scenario.

  1. “In the context of the activities”

The Guidelines reiterate that a non-EU entity can carry out processing activities in the context of the activities of an EU establishment, even if its EU establishment takes no role in data processing.

The Guidelines clarify that if (i) there is an “inextricable link” between the data processing activities of a non-EU entity and the activities of their EU establishment; and (ii) the EU establishment’s activities serve to make the non-EU entity profitable, then the processing is taking place in the context of activities of an EU establishment.

 Article 3(2) GDPR

Article 3(2) provides that the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • the offering of goods and services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The Guidelines offer useful clarification on three underlined terms:

  1. “Data subjects in the Union”

The Guidelines reiterate that the location of the data subject is the determining factor. Nationality and residence of the data subject are not relevant.

The Guidelines clarify that the location of the data subject must be considered at the time of the trigger activity, so either at the moment (i) of the offer of goods or services or (ii) when the behaviour is monitored. This means that if the offer of services takes place in the EU, the GDPR will continue to apply if the individual leaves the EU; and vice versa.

It still remains unclear whether targeting individuals in their capacity as employees or representatives of larger organisations is caught by the GDPR.

  1. “Offering of goods or services”

The Guidelines reiterate that in order to be caught by the GDPR, the controller/processor must demonstrate an intention to offer goods or service to data subjects in the EU.

The Guidelines identify some new factors that, when considered together, could indicate an intention, including:

  • paying a search engine operator to facilitate access to a website by EU consumers;
  • the international nature of the activity (i.e. tourist activities); or
  • the mention of other customers domiciled in the EU.
  1. “Monitoring of behaviour”

The Guidelines clarify that collection of data alone is not “monitoring”. “Monitoring” requires the controller/processor to have a specific purpose for the collection and reuse of that data. The Guidelines specify a number of activities that could amount to monitoring:

  • behavioural advertisement;
  • geo-localisation activities; and
  • personalised health analytics services online.

The Guidelines have addressed some questions, but have left many unaddressed. It remains to be seen whether the final version will be more comprehensive.

By  Alice O’Donovan and Olivia Kilner, solicitors with international law firm, McGuireWoods.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.