The European Data Protection Board (“EDPB”) recently released Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). The Guidelines, which address the key threshold issue of the GDPR’s applicability, are particularly important for companies outside the European Union seeking to understand the GDPR’s application to their business activities. The Guidelines are open to public comment until January 18, 2019, after which time the EDPB will publish a final version of the Guidelines.
The Guidelines primarily focus on two criteria that define the GDPR’s territorial scope: the “establishment” criterion (Article 3(1)) and the “targeting” criterion (Article 3(2)). The “establishment” criterion applies the GDPR to processing in the context of the activities of a controller or processor’s establishment in the EU. The “targeting” criterion applies the GDPR to processing related to the offering of goods or services to individuals in the EU or the monitoring of behavior in the EU. The Guidelines also address the requirement for a controller or processor not established in the EU to appoint a representative in the EU.
View the full alert here.