Material Applicability Factors

The GDPR's material scope of application is determined by several factors, including:

• The Automated Means Criterion: This focuses on whether personal data is processed "wholly or partly by automated means."
• The Filing System Criterion: This extends the GDPR's applicability to manual processing when personal data forms part of or is intended to be part of a filing system.
• Sectoral Exceptions Regulated by Other Laws: This acknowledges that certain data processing activities might be governed by sector-specific regulations that have established data protection standards.
• Personal and Domestic Use Exemption: This excludes processing activities carried out by individuals in a purely personal or household context.

Automated Means Criterion

GDPR Art.2(1):

"1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

The automated means criterion is broad and encompasses various data processing activities, including those involving computers, smartphones, laptops, and other electronic devices. The GDPR applies when processing involves any level of automation. This means that any data processing activity that uses technology for any part of the process is likely to fall under the scope of the GDPR.

Filing System Criterion

GDPR Art.2(1):

"1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

This criterion extends the GDPR's reach to manual data processing if the data is structured and organized systematically. This ensures that even non-automated processing activities that allow for efficient retrieval and use of personal data are subject to data protection rules. For example, a set of personal data collected during door-to-door preaching, consisting of names, addresses, and other information about the contacted individuals, could be considered a filing system. This is because the data is structured according to specific criteria that allow for easy retrieval and subsequent use.

Sectoral Exceptions Regulated by Other Laws

GDPR Art.2(3):

"3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98."

This provision exempts processing activities already governed by specific EU regulations with established data protection standards. It highlights the EU's approach of avoiding redundant regulation where sector-specific rules are already in place. The GDPR differentiates between non-Union law and Union law when determining exceptions. For instance, data processing by EU institutions is governed by Regulation (EC) No 45/2001, which aligns with the GDPR's principles but addresses the unique needs of Union entities. This provision prevents conflicting obligations for controllers and processors.

Personal and Domestic Use Exemption

GDPR Art.2(2)(c):

"2. This Regulation does not apply to the processing of personal data: (c) by a natural person in the course of a purely personal or household activity;"

This exemption carves out data processing activities conducted by individuals for personal or household purposes. It ensures that the GDPR does not unnecessarily intrude into individuals' private lives. The exemption, however, does not extend to activities with professional or commercial connections.

A key distinction in applying this exemption is differentiating between "private" and "non-private" activities. Factors to consider include:

• The Space of Processing: Activities taking place in private spaces are more likely to be considered personal. Public places or generally available websites are not part of this exemption.
• The Social Aspect: The relationship between the individual conducting the processing and the data subjects, as well as the size of the group with access to the data, are relevant.
• The Purpose: Activities without a professional or economic purpose are more likely to fall under the exemption.

Territorial Applicability Factors

The GDPR's territorial scope is defined by criteria that determine whether the regulation applies to controllers and processors outside the EU. These criteria include:

• Processing by Local Establishment: The GDPR applies to entities with an establishment in the EU, regardless of where the actual processing takes place.
• Processing in Context of Local Establishment: The GDPR extends to data processing activities linked to the operations of an EU establishment, even if the processing itself occurs outside the EU.
• Offering Goods and Services to Data Subjects in Jurisdiction: The GDPR applies to non-EU entities that target EU residents by offering goods or services.
• Monitoring Data Subjects Within Jurisdiction: The GDPR covers data processing by controllers or processors, regardless of location, if the processing involves monitoring the behavior of individuals physically present in the EU.
• Physical Location/Residency of Data Subject in Jurisdiction: The GDPR emphasizes the protection of individuals physically present in the EU, regardless of their nationality or residency status.

Processing by Local Establishment

GDPR Art.3(1):

"1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

This provision ensures that EU data protection laws govern the activities of entities established in the EU, regardless of where the data processing occurs. The "establishment" criterion is interpreted broadly, encompassing any stable arrangement through which a controller or processor conducts business activities in the EU. The legal form of the arrangement, such as a branch or subsidiary, is not the determining factor.

For example, a US-based car manufacturing company with a fully owned branch office in Brussels, overseeing European operations, including marketing and advertising, would be considered to have an establishment in the EU. The Belgian branch, being a stable arrangement with real and effective activities, qualifies as an establishment within the meaning of the GDPR.

Connection with Local establishment

One frequently encountered confusion concerns the engagement of EU-based data processors by non-EU controllers. It's essential to clarify that merely contracting with an EU-based processor for data processing services does not automatically trigger the full applicability of the GDPR for the non-EU controller, particularly when the processor operates as an independent entity, separate from the controller's business group or ownership structure.

A critical aspect of Article 3(1) lies in its specific phrasing, "in the context of the activities of an establishment of a controller or a processor in the Union." The emphasis on "of" is significant because it indicates a direct, possessive link between the controller/processor and the establishment itself.

The EDPB Guidelines 3/2018 states:

"The separate question then arises of whether the processor is processing in the context of its establishment in the Union. If so, the processor will be subject to GDPR processor obligations under Article 3(1). However, this does not cause the non-EU controller to become subject to the GDPR controller obligations. That is to say, a “non-EU” controller (as described above) will not become subject to the GDPR simply because it chooses to use a processor in the Union."

This statement reinforces the principle that the mere presence of a processor's establishment in the EU does not automatically translate into an establishment for the non-EU controller.

So, the mere act of engaging an EU-based processor does not automatically activate Article 3(1) for a non-EU controller when the processor is an independent entity and not part of the controller's business group or ownership structure. However, the controller retains responsibility for ensuring the processor's compliance with the GDPR through contractual means, reflecting the GDPR's commitment to comprehensive data protection.

Processing in Context of Local Establishment

GDPR Art.3(1):

"1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

This criterion broadens the GDPR's scope to data processing activities linked to an EU establishment, even when the processing takes place outside the EU. This requires assessing the relationship between a non-EU entity and its local EU establishment. An "inextricable link" between the data processing activities and the EU establishment's activities would trigger GDPR applicability.

The "inextricable link" is not explicitly defined in the GDPR but emerges from the interpretation of Article 3(1), Recital 22, and subsequent case law and guidelines. The European Data Protection Board (EDPB) has identified two key factors that help in determining whether processing occurs "in the context of" an establishment in the Union, thus establishing the "inextricable link" necessary for the application of the GDPR:

1. Relationship between the non-EU entity and its local EU establishment: This factor examines the operational and functional connection between the data processing activities of the non-EU entity and the activities of its establishment in the EU.
2. Contribution of the local EU establishment to the revenue of the non-EU entity: This factor assesses whether the activities of the EU establishment are directly or indirectly generating revenue for the non-EU entity, and whether this revenue generation is linked to the processing of personal data.

EDPB Guidelines 3/2018:

"The data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, and thereby may trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself. If a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data."

"Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment”, and may be sufficient to result in the application of EU law to such processing."

Recital 22 GDPR:

"Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

Case Law

The CJEU, in landmark cases like Google Spain (C-131/12), has provided valuable insights into interpreting the "inextricable link" requirement. The Court has consistently emphasized a functional approach, moving away from a purely formalistic interpretation of "establishment." Instead, the focus is on the actual activities of the EU establishment and their connection to the processing of personal data.

In Google Spain, the CJEU ruled that even though Google's data processing activities were primarily carried out outside the EU, the presence of a sales office in Spain that promoted and sold advertising space linked to the search engine constituted an "establishment" under the GDPR. This was because the sales office's activities were deemed to be "inextricably linked" to the processing of personal data by the search engine, as they generated revenue that contributed to the overall functioning of the search engine.

For instance, a pharmaceutical company headquartered in Stockholm, with clinical trial data processing activities located in its Singapore branch, would still be subject to the GDPR. Even though processing occurs in Singapore, it's considered to be carried out in the context of the company's activities in Stockholm, an EU establishment.

Offering Goods and Services to Data Subjects in Jurisdiction

GDPR Art.3(2)(a):

"2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or"

This provision targets non-EU entities that aim their business activities toward EU residents. It covers the offering of both free and paid goods or services. The crucial aspect is whether the controller or processor intentionally targets EU individuals with their offerings. Factors such as language, currency, and marketing practices can indicate such intent.

Recital 23 elaborates on determining whether an entity is offering goods or services to EU data subjects:

Recital 23:

"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

Several factors can indicate the intention to target EU data subjects, including:

• Language and Currency: Using languages or currencies common in EU Member States suggests targeting EU individuals.
• Targeted Marketing: Launching marketing campaigns aimed at EU audiences demonstrates an intent to offer goods or services to those individuals.
• Delivery Options: Offering delivery of goods in EU Member States strengthens the case for targeting EU individuals.

However, merely having a website accessible in the EU or providing an email address does not automatically constitute an offer of goods or services to EU data subjects. A more comprehensive assessment is necessary to determine the intent.

Monitoring Data Subjects Within Jurisdiction

GDPR Art.3(2)(b):

"2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."

This criterion encompasses data processing activities that track the behavior of individuals within the EU. It applies regardless of the controller or processor's location and covers various online and offline tracking methods. This provision emphasizes that the protection of individuals' privacy extends to their activities within the EU's territory.

Examples of activities that might constitute "monitoring" include:

• Tracking website visitors' browsing behavior.
• Analyzing customer movements in a physical store using Wi-Fi tracking.
• Using facial recognition technology in public spaces.

The key element is whether the processing involves tracking individuals' actions or behaviors while they are physically present in the EU.

Physical Location/Residency of Data Subject in Jurisdiction

GDPR Art.3(2):

"2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."

The GDPR's focus on individuals' physical location within the EU, regardless of nationality or residency, underscores the regulation's aim to protect all individuals present within the EU's territory. This provision ensures that the GDPR's protective measures apply to individuals engaging in activities within the EU, even if they are not EU citizens or residents.

The GDPR's territorial scope is designed to be comprehensive and protective, ensuring that individuals' personal data is safeguarded regardless of where the processing occurs or who is conducting it.

Conclusion

The GDPR's applicability in the EU is determined by a combination of material and territorial factors. The regulation's broad scope covers various data processing activities, encompassing both automated and manual processing when personal data is organized in a structured manner. Sector-specific regulations might govern certain data processing activities, while the Personal and Domestic Use Exemption ensures that the GDPR does not unnecessarily extend into individuals' private lives.

The GDPR's territorial scope extends beyond EU borders to include controllers and processors outside the EU if their activities target or monitor individuals within the EU or are connected to an EU establishment. This broad reach highlights the EU's commitment to protecting the personal data of individuals within its territory. This approach ensures that individuals' privacy rights are protected in a globalized digital world.