The European Data Protection Board ("EDPB") has issued updated guidelines on the extraterritorial scope of the General Data Protection Regulation ("GDPR"). The revised guidance will be particularly helpful for non-EU entities seeking clarification on the extent to which their data processing operations are caught by European data laws. The new guidelines also clarify the liability of representatives appointed by non-EU controllers and processors.
When goods or services are "inadvertently or incidentally" provided to a person in the EU, the related processing does not fall within the scope of the GDPR for the purposes of the Offering Test
The GDPR came into force in May 2018 with a substantially wider scope of application to countries outside the European Union ("EU") than the previous regime. This was an intentional move on the part of European legislators to ensure comprehensive protection of individuals' data privacy rights in the EU and to establish a level playing field in this area for companies active in EU markets.
In particular, Article 3 of the GDPR confirmed the applicability of the new regulations to the processing of personal data:
in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not (the "Establishment Test"); of persons in the EU by a non-EU controller or processor where the processing activities relates to: the offering of goods or services to such persons in the EU (the "Offering Test"); or the monitoring of their behaviour in the EU (the "Monitoring Test"). Where the GDPR applies by virtue of the Offering Test or the Monitoring Test to a non-EU controller (i.e. a person or entity that determines the purposes and means of processing personal data) or processor (i.e. a person or entity that processes personal data on behalf of a controller), there is an obligation on the controller or processor to appoint a representative in the EU.
These tests and the implications of appointing a representative have proven difficult to interpret in practice, which was recognised by the EDPB with the development of draft guidelines for consultation in late 2018. The consultation has been completed and version 2.0 of EDPB Guidelines 3/2018 (the "Guidelines") were issued on 12 November 2019 taking into account contributions and feedback on the original draft.
The Guidelines confirm that the application of the tests in...