Skip to Main Content
Our Commitment to Diversity
Date: 26 November 2018
EU Data Protection, Privacy, and Security Alert
By: Claude-Étienne Armingaud, Etienne Drouard, Anaïs Ligot, Olga Kurochkina, Joséphine Beaufour, Lucile Rolinet

On November 23, the European Data Protection Board (“EDPB”) - the gathering of all European Union (EU) data protection authorities - adopted new draft guidelines on territorial scope of the GDPR. The EDPB was previously known as the Article 29 Working Party.

The long awaited guidelines (“Guidelines”, available here) provide a common interpretation on the scope of application of the GDPR. Its territorial scope, laid down in Article 3 GDPR, states that GDPR applies to:

  • any EU based controller or processor processing personal data in the context of its activities; or
  • any non-EU based controller or processor processing personal data of EU residents in connection with either:
    • the offer of goods or services; or
    • the monitoring of their behavior taking place in the EU. 

The Guidelines provide clarification for both EU and non-EU based companies to assess whether all or parts of their activities would fall under the scope of the GDPR and to what extent they would be subject to the application of the GDPR. 

Notably, the Guidelines clarified aspects which had been subject to controversy or misinterpretation in the six months since GDPR’s entry into force, such as:

  • A non-EU controller using an EU processor for activities outside of the EU not targeting EU residents does not have to comply with GDPR. An EU processor will be subject to the relevant GDPR provisions directly applicable to data processors;
  • The irrelevancy of the “targeting” criterion when considering applicability of the GDPR to monitoring activities; and
  • Citizenship, established residency or other type of legal status of the data subject is irrelevant to determine the application of the targeting criteria.

Moreover, the Guidelines also clarified the criteria of the appointment of an EU representative defined in Article 27 GDPR for non-EU controllers and processors.

The Guidelines will still be subject to a public consultation before being revised and ultimately adopted in a final version.

K&L Gates’ Data Protection team remains at your disposal to assist you in the completion of your contributions, which will need to be submitted before January 18, 2019.

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Data Protection, Privacy, and Security
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel