EU: Monitoring Data Subjects Within Jurisdiction

The monitoring of data subjects' behavior within the EU is used as a key factor for determining whether the GDPR applies to processing activities by controllers or processors not established in the EU.

Text of Relevant Provisions

GDPR Article 3(2)(b):

"2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."*

Analysis of Provisions

Article 3(2)(b) of the GDPR extends the territorial scope of the regulation to cover processing activities by controllers or processors not established in the EU, when those activities involve monitoring the behavior of data subjects within the EU.

Key aspects of this provision include:

It applies to controllers/processors "not established in the Union"
The data subjects must be "in the Union"
The processing must relate to "monitoring of their behaviour"
The monitored behavior must take place "within the Union"

As clarified in the EDPB guidelines, for this provision to apply, "the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union".

The EDPB notes that "monitoring" implies "the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behaviour within the EU". However, not all online collection or analysis of personal data of EU individuals automatically counts as monitoring. The controller's purpose and any behavioral analysis or profiling must be considered.

Examples of monitoring activities that could fall under this provision include:

Behavioral advertising
Geo-localization for marketing purposes
Online tracking through cookies or fingerprinting
Personalized diet/health analytics services
CCTV
Market surveys and behavioral studies based on individual profiles

Implications

This provision significantly expands the territorial reach of the GDPR to non-EU entities that monitor individuals in the EU. Some key implications include:

Non-EU companies engaged in online tracking, profiling or behavioral analysis of EU residents likely fall under GDPR jurisdiction, even without an EU establishment.
The mere collection of EU personal data is not enough - there must be purposeful monitoring of behavior within the EU.
Both the data subject's presence in the EU and the behavior occurring in the EU are required.
Companies must assess whether any of their data processing activities constitute "monitoring" of EU data subjects, which may require GDPR compliance for those specific activities.
Non-EU entities engaged in monitoring may need to designate an EU representative.

The monitoring criterion thus serves as an important factor in determining whether non-EU entities are subject to GDPR requirements, reflecting the regulation's aim of protecting EU residents' data even when processed by foreign companies. Companies must carefully evaluate their processing activities involving EU individuals to determine if they trigger GDPR applicability through monitoring.

Jurisdiction Overview

👮🏼 National Security and Law Enforcement Exemption Judicial Proceedings and Court Records Exemption 🏡 Personal and Domestic Use Exemption ™️ Exception for Information about Legal Entities 🔗 Processing in Context of Local Establishment 🎦 Monitoring Data Subjects Within Jurisdiction 🖥️ Automated Means Criterion 🏛️ Government and Public Agency Exemption 📍 Processing by Local Establishment Physical Location/Residency of Data Subject in Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🗃️ Filing System Criterion 💽 Prospective Filing System Inclusion 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🕵🏿 State Secrets Exemption ⚖️ Sectoral Exceptions Regulated by Other Laws