GDPR and Territorial Scope

Transcript of the Video

Hello, ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you raw and uncut. I've got to be honest with you, I’m absolutely shattered. A real struggle to have to do a video today, but after having done about 60 days of videos without missing one single day, I am not going to miss a day. It is actually a quarter to one in the morning, so I guess I have officially missed yesterday, but I'm counting it as yesterday.

So, I've promised to do a video on the territorial scope, so that's what I'm going to do today. It is not entirely straightforward. You might not be surprised to know as with pretty much everything in GDPR, but I will outline what the regulations say and give you my interpretation as to what that is.

The first thing to say about the territorial scope is obviously if you are established within the EU, then GDPR applies. Now, I've had questions that say "Does it just apply to your data subjects within the EU or does it apply generally?" So if you're based in the EU but you have people on your list in the States, Canada, Australia, wherever, if you're for example going out and getting fresh consent from your lists, would you have to put it to those other jurisdictions as well or just people within the EU?

I've really researched this and I can't find anything on this point. If anyone has, please feel free to post it in the group. From my reading of Article 3 of the regulations, the way that it is phrased suggests that if you're in the EU, then this applies to all of the data that you process, wherever the data subjects are. The reason I say that is because Article 3.1 says "This regulation applies to the processing of personal data in the context of the activities of the establishment of a controller or processor in the Union regardless of whether the processing takes place in the Union or not."

Now it's not that last bit that I'm actually interested in there. What that's designed to cover is people like Facebook, well not Facebook actually cause it's not based in the EU, but someone who's based in the EU and they have their head office in the EU and all the decision makers are in the EU, but they decide to say that their processing is being done in India as a way to circumvent the rules. So that's what that last bit was about. The bit that I'm interested in is the part that talks about the processing of personal data because if you compare that to the next article, which is Article 3.2, that talks about the processing of personal data of data subjects who are in the Union. So my reading of that is the fact that they haven't said in the first bit, that it's the personal data of data subjects who are in the Union, means that if you are established in the EU, then all of your processing of personal data is caught by GDPR.

The next point is, if you're not in the EU, what's the position for you? Article 3.2 says "This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to" then it's a couple of things that narrow down that processing definition. What we're talking about is processing of personal data of people in the EU by a controller or a processor not established in the EU. If you're a company in the states and you're processing personal data of data subjects in the UK, then when the processing activities are related to "Firstly, the offering of goods or services, irrespective of whether a payment is required, to data subjects in the Union, or the monitoring of their behavior as far as their behavior takes place within the Union." What does that mean?

We have to think about what are processing activities related to the offering of goods or services? This is where the question comes in around, let me just get to the recital, so this is the question around, "If I just have an English speaking website, which I'm not geo-blocking people, but people can just come on to my website, does that mean that I'm processing data of people from the EU?" Well no, it doesn't mean that because the recitals say that "it should be ascertained whether it's apparent that the controller or processor envisages offering services to data subjects in one or more member states in the Union."

It goes on to say "whereas the mere accessibility of the controller, processors or intermediary's website in the Union or an email address or other contact details or the use of language generally used in the third country where the controller is established is insufficient to ascertain such an intention. Factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering goods and services in that other language or the mentioning of customers or users who are in the Union may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

What you need to look at is all of the evidence that would make it apparent that you are envisaging offering goods or services to data subjects in the Union. If you have an email list...if you're established in the US for example, and I'm just using the US as an example, this could be Australia, Canada, India, wherever you are, say you're in the US and you've got an email list that has a good number of people from the UK on that list and you are emailing them with promotional offers, you're sending your email marketing to them the same way that you're sending it to people in the States, then that for me is clearly an intent and that you envisage offering goods or services to data subjects in the Union. You would have to comply with GDPR.

If you don't do that if you're not email marketing to people within the EU and just the very fact that they are able to go on your website and browse it does not bring you within the scope of GDPR.

Now the second limb of that was the monitoring of the behavior of data subjects so far as that behavior takes place within the Union. The recitals on that say that "In order to determine whether a processing activity can be considered to monitor the behavior of data subjects it should be ascertained whether people are tracked on the internet, including potential subsequent use of personal data processing techniques which consist of profiling, particularly in order to take decisions concerning him or her or for analyzing or predicting personal preferences, behaviors, and attitudes."

So where you are using cookies for example, that are monitoring behavior, you've got behavioral advertising going on, then that would be an example of monitoring the behavior of data subjects within the EU in so far as the behavior takes place within the Union. So that's as far as the guidance goes really. If you know that you would come within those two examples then you are caught within the scope of GDPR.

What about if you have clients, maybe you don't do marketing, but you have clients in the EU but you're not email marketing people, you've been introduced to them or they've been referred to you or whatever, I think it would be covered in that. "The processing activities are related to the offering of goods or services." So it's what emphasis you put on offer. Is it the actual offering or is it the provision of the services? I don't know. I've not read anything that clarifies that. If anyone has come across anything that does, please do let me know. I think certainly for the people that I'm talking to, if you've got a list of...if you're based in the US and I'm using the US as an example, you've got a list that has a fair amount of people in the UK and you are not segmenting them out, you're sending them the same offers that you would be sending the rest of your list, then you are within the scope of GDPR. In so far as it's related to the data subjects within the Union.

If you, for example, if you were thinking okay, I need to comply with GDPR so I need to look at my lawful ground of processing. If you don't know about that, go and watch the overview training in the pinned post. I lost my train of thought now, it's too late. Yes, so you would only need to go out to your list to get fresh consent for example from people in the EU if you're in the States as an example. Or wherever you are outside of the EU. We're only interested for you in so far as it affects the data of data subject you are in the Union. I have read things that say In the Union, doesn't mean that people are resident there or citizens there, it literally means people who are in the Union. If they're there on holiday or whatever else, if you are sending stuff while they are in the Union or you are monitoring their online behavior whilst they are in the Union then that would count for the purposes of that regulation.

The other thing that I want to quickly mention is that as a representative. Representatives. There was a question for the first time actually in the group, about representatives, so I just want to quickly touch on that while we are talking about territorial scope. Article 27, it says "Where Article 3.2 applies," which is the article I was just talking about which is where the processing relates to the offering of goods and services and the monitoring of behavior, if that applies then it says, "the controller or the processor shall designate in writing a representative in the Union apart from where processing is occasional," and there's no guidance on what occasional means, "it does not include on a large scale processing of special categories of data," and hopefully, you know what that is now. If not, there are lots of the overview training it explains what a special category data is or sensitive data.

"Or processing of personal data related to criminal conviction and offenses and is unlikely to result in arrest to the rights and natural freedoms of persons then you don't have to appoint a representative." So if you're processing occasionally and it's unlikely to result in the arrest and freedoms of natural persons," then as an example, you don't have to appoint a personal representative. "Equally, you don't have to appoint one if you're a public authority or body," which I suspect will apply to many people in the group. I shall mention that for completeness. You have to appoint this representative in one of the member states where the data subjects are. If you're based in the US and you've got most of your data subjects in the UK, it would make sense to appoint a UK entity as a representative, not least because of language issues.

The told of the representative is really to be, as the name suggests a representative for the company in the US or wherever you are. To be their representative within the EU. The job of the representative is to liaise with supervisory authorities and data subjects on all issues related to the processing for the purposes of complying with the regulations. If there's a complaint raised, for example, the supervisory authority might go to the representative as the first port of call. Similarly for data subjects, if you look at the privacy notice, there is a line in there that talks about a representative and there are contact details for a representative so that if a data subject wants to exercise a right or make a complaint, then it can use the services of that representative to do so. Then obviously the representative has to liaise with you in relation to that.

There are lots of entities that have sprung up in the UK that offer representative services. The fees tend to vary. Some of them break it down, if you have small-scale processing it's a few hundred pounds a year whereas if you've got very large scale processing, it can be up to tens of thousands of pounds a year so do look into that if you're based outside of the EU, but GDPR applies to you and you don't have your own establishment within the EU, then do look into whether or not you need to appoint a representative.

I hope that's made sense. It's a bit late and I'm feeling exhausted. Probably not the best time to deal with that. I hope that makes sense to you. Everything that I've ready personally and seed discussed is really just a direct lift from the recitals and there's not really any more practical application as to what they were thinking of when they wrote that. Anything that you've seen about that bit is an authority on that, then do share that with me.

My view is, the questions that I've been asked at the moment by people who are typically in the States, is people who are doing email marketing and things like that. I say, if you do have people in the EU on that list and you are regularly sending're intending to offer them goods or services or you're monitoring their behavior then you're within the scope of GDPR.

I hope that made sense. I think I'm rambling a bit now so I shall shut up. If there are any questions on that then let me know and I will address those. Okay, have a good evening. I've still got another hour of work and it's 1 AM. It's not good, is it? I think I've worked till 2 AM every night for the last couple of months. There's light at the end of the tunnel. I'm taking the whole of July and August off, so I think I can keep going for another month. Just about.

Thank you so much to all of you in the group who I know I can tell are GDPR experts and you are popping in and answering questions for people. I think that's great. If you are an expert and you do know what you're talking about then that's really helpful. Of course, if you're not an expert and you're just having a guess, please don't do that because it really leads to confusion. By all means say "I watched this video and they said X" or if you're not an absolute expert, quote your authority from where you are gathering your opinion. Don't be like the room full of marketers in the conference yesterday who were just giving a blanket "yes you can do this," typically it was "no you can't do this" without giving any kind of context for that or indeed any risk analysis of that. Thank you as always for your engagement. I have to say I wish there was a title bit less engagement at the moment. It's very, very hard to keep up with all the posts, if not impossible.

I'm glad that people are so interested in it. I do love seeing the questions, it's just that they're so many now that I really can't look at all of them. That is it. As you know the prices rise tomorrow for the pack. If you want to buy it, go do that. As I've posted in the group and said, "Don't worry if the processing doesn't go through for some reason, there's about 10% that just doesn't go through for whatever reason, I think it's just the volume, if you email before midnight tomorrow, today now, before midnight on the 25th of April, then we will make sure you can buy the pack at 147 pounds before the prices go up to 197 pounds which is still a fantastic value."

You all seemed very interested in my implementation day which is where we'll sit down together. I'll give you an overview session at the start of the day and then we'll sit down and you will go through all of your documents. I'll be online and you can ask me any questions that you have as we go through that. It will be interesting to see how that works. I know you need a bit of help filling them in, so I thought that was a good way to present a low-cost solution for me to be able to help you to do that. Hopefully, an email is coming out on that tomorrow for the 1st of May, first come first serve. If you want to do that make sure you snap that up. I think that's it for now. Thanks, everyone. Bye, everyone.