The factor "Use of Equipment Within Jurisdiction" is used to determine the applicability of data protection laws by considering whether a data controller or processor, not established in the jurisdiction, uses equipment physically located within the jurisdiction to process personal data.

Provision Examples

• Angola: "AO DPL Art.3(2)(d): This law applies to the processing of personal data carried out: d) By a data controller who, not being established in the Republic of Angola, uses means located in Angolan territory for the processing of personal data."
• Uruguay: "Decree No. 414/009 Art.3(1B): Personal data processing is subject to the Law that is regulated when: B) The database controller or processor is not established in Uruguayan territory but uses means located in the country for data processing."
• Philippines: "DPA of 2012 Sec.4(1): This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines..."

Description

This factor is used to determine the applicability of data protection laws by considering whether a data controller or processor uses equipment physically located within the jurisdiction to process personal data. The provisions analyzed above demonstrate that this factor is used to extend the scope of data protection laws to cover situations where a data controller or processor, not established in the jurisdiction, uses equipment located within the jurisdiction to process personal data.

The rationale behind this factor is to ensure that personal data processed within the jurisdiction is subject to the jurisdiction's data protection laws, regardless of the location of the data controller or processor. This approach is consistent with the principle of territoriality, which provides that a state has jurisdiction over activities that take place within its territory.

The provisions analyzed above demonstrate commonalities in the approach to this factor across different jurisdictions. For example, all the provisions analyzed above require the data controller or processor to use equipment located within the jurisdiction to process personal data. This approach is consistent with the principle of territoriality and ensures that personal data processed within the jurisdiction is subject to the jurisdiction's data protection laws.

The provisions analyzed above also demonstrate different approaches to this factor. For example, the Philippines provision requires the data controller or processor to maintain an office, branch, or agency in the Philippines, in addition to using equipment located in the Philippines. This approach is more stringent than the approach taken in Angola and Uruguay, which only require the use of equipment located within the jurisdiction.

Implications

The implications of this factor are that data controllers and processors that use equipment located within the jurisdiction to process personal data may be subject to the jurisdiction's data protection laws, even if they are not established in the jurisdiction. This may require data controllers and processors to comply with the jurisdiction's data protection laws, including requirements for data security, data breach notification, and data subject rights.

For example, a data controller or processor that uses equipment located in Angola to process personal data may be subject to Angola's data protection laws, even if they are not established in Angola. This may require the data controller or processor to comply with Angola's data protection laws, including requirements for data security and data breach notification.

In contrast, a data controller or processor that uses equipment located in the Philippines to process personal data may be subject to the Philippines' data protection laws, including requirements for data security, data breach notification, and data subject rights. This may require the data controller or processor to maintain an office, branch, or agency in the Philippines, in addition to using equipment located in the Philippines.

Overall, the factor "Use of Equipment Within Jurisdiction" is used to determine the applicability of data protection laws by considering whether a data controller or processor uses equipment physically located within the jurisdiction to process personal data. This approach is consistent with the principle of territoriality and ensures that personal data processed within the jurisdiction is subject to the jurisdiction's data protection laws.