The Scope of GDPR: Material and Territorial Scope Under Articles 2 and 3

The General Data Protection Regulation (GDPR) aims to protect the privacy and rights of data subjects (individuals) in the European Union by regulating data processing activities conducted by businesses.

Controllers or Processors outside the European Union often doubt whether they are required to comply, given that they do not have offices operating in the EU countries.

This post on the GDPR scope aims to help you resolve the confusion with ‘jurisdiction creep’. Now, what’s jurisdiction creep? It’s the confusion that’s caused when businesses do not fully understand the GDPR law and its applicability. The result? Businesses get stuck in a limbo of doubt – ‘Am I under the purview of GDPR’ or ‘Am I not?’

If you are considering becoming GDPR compliant but aren’t completely sure if you are under its purview, this article is a must-read.

What is the Scope of GDPR?

The scope of the GDPR compliance is relatively broad. Therefore, regardless of whether you are a business situated inside the EU or have an office in a third country (outside the EU), it is essential to understand how you come under the purview of GDPR if you are processing the personal data of EU citizens and residents.

Here are two ways a business comes under the purview of this compliance law.

1. Material Scope
2. Territorial Scope

Article 3 of the GDPR: Territorial Scope GDPR 

Article 3 of the GDPR talks about the territorial scope of GDPR  and how its broadly classified into two segments – Article 3(1) and Article 3(2). However, before we dive deeper into those segments, it is essential to get familiar with the territorial and extraterritorial scope concepts. 

Territorial scope refers to when businesses inside the EU region process the personal information of data subjects. Fair and simple, right? If your business qualifies for this, you are in the territorial scope of GDPR.

Extraterritorial scope occurs when businesses are either Controllers or Processors with an office outside the GDPR territorial scope. Then those businesses are required to be compliant under the GDPR extraterritorial scope.

For the uninitiated, here are some simple definitions to understand Controllers, Processors, and Personal Data in the GDPR universe.

Article 3 of the GDPR

For GDPR to be effective, the makers of the GDPR law extended their reach to businesses processing personal data based on two criteria.

1) Establishment Criteria

2) Targeting Criteria

Article 3(1) of the GDPR: Establishment Criteria

When Controllers or Processors based in the European Union are involved in processing data of data subjects, they come under the purview of GDPR. This applies regardless of where the data processing activities are conducted. For instance, if a Controller based out of one of the EU member states performs their processing activities in a third country, they must comply with the GDPR territorial scope guidelines under the establishment criteria.

Understanding the establishment criteria becomes important because even though the legal speech used in the GDPR framework is clear and crisp it leaves much room for speculation.

Google Spain’s hearing  Google Spain vs Mr Costeja Gonzalez is a classic example of the establishment criteria. Google Spain was a Data Controller with its headquarters in the USA. The search from Google results affected a certain individual’s privacy and interests. The regulatory authorities(Spanish Authority for Personal Data Protection) asked Google Spain to take down those search results, thereby invoking the ‘right to forget’, one of the eight rights provided to data subjects by the GDPR. Though this incident happened in 2013, the makers of GDPR and its critics relate to how and why the establishment criteria were included in the guidelines.

Article 3(2) of the GDPR: Targeting Criteria

“The processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or (b) the monitoring of their behavior as far as their behavior takes place within the Union”.
Source

What this means is that the GDPR compliance checklist get automatically applied when a business meets either or both of the following criteria:

1) They conduct processing activities of personal data of the data subjects within the EU region.

2) They offer goods or services to data subjects in the EU or monitor the behavior of the data subjects in the EU (websites, cookies).

Here are a few examples of when the Targeting Criteria are activated:

• When at least one member state in the EU is designated by name in a business’ services or goods
• When a Controller or Processor is involved in marketing and advertising campaigns whose target audience is data subjects in the EU
• When there is an activity with an international nature involved (tourist activities)
• When there is a mention of an address or a phone number that can be reached from an EU state(s)

Article 2 of the GDPR: Material Scope

Processing personal data is when a business that collects, stores, uses data for marketing purposes or as a source for automated decision making, alters data, or destroys data of the residents or the citizens of the EU. 

When a business performs any or all of these above mentioned activities, they are automatically under the scope of the GDPR. In some cases, even if the processing center (a processor) is not in the EU, they still come under the purview of the GDPR.

Article 2 talks about the GDPR Material Scope of personal data processing. It is essential to talk about this aspect alongside the Territorial and Extraterritorial Scope of GDPR.

Real-world Translation of the Territorial Scope of the GDPR

• When does a business need to become GDPR compliant according to Article 3?
  A Controller or Processor will have to become compliant if they have an establishment in any of the member states of the EU countries or if they are processing personal data of EU citizens for targeted marketing.

• Suppose your business has an establishment in the Union but does not process any personal data of data subjects from the EU. Do you still need to be GDPR compliant?
  This is a tricky one. One would automatically assume they wouldn’t need to comply with the GDPR, but they do. The establishment criteria state that regardless of the data subject if a business has an establishment in the EU, they are automatically required to comply.

• I am a cloud-hosted company looking to expand commerce in the EU, but I don’t have an establishment in the EU. How does the Territorial Scope of GDPR impact me? The most important thing you must consider when deciding whether GDPR applies to you is to define the nature of the processing your business is involved in. In this case, the targeting criteria of Article 3 of the Territorial Scope of GDPR becomes applicable.

• Suppose your business holds the capacity of a Controller and is located in the US with no establishment in the EU but has hired EU-based Data Processors. Will your US-based company have to be GDPR compliant?
  No, since the Controller neither has an establishment in the EU nor is targeting/monitoring data subjects in the EU. So, you need not be GDPR compliant. 

The GDPR law comes with its nuances and tweaks. It is a law regulated and supervised by a Lead Supervisory Authority of the European Data Protection Board (EDPB) and interpreted by the European courts.

So, often, the chapters and articles of the GDPR law are validated on a case-to-case basis.

The Global Nature of GDPR Compliance

The GDPR law has specific nuances and intricate details embedded at its core to ensure that the privacy rights of the citizens and residents of the EU are protected regardless of the global nature of the information. So, even when a processor in the Philippines processes the personal data of EU data subjects, they are required to be GDPR compliant. 

The makers of GDPR have ensured that this is followed by implementing Standard Contractual Clauses (SCC). To conduct commerce with the EU, it is best to be on the right side of the compliance spectrum than to risk facing administrative fines or reputational damage that comes when instances of non-compliance are found.

For reference, when any business is found to be non-compliant with GDPR they are either levied an administrative penalty of $20 million or 4% of their annual turnover (whichever is higher).

Get Clarity on the Scope of the GDPR

If you have just embarked on the GDPR compliance journey and are finding it difficult to navigate through the details and complexities,  talk to us. 

Sprinto’s automated compliance platform is designed to ensure a smooth and effortless journey to becoming GDPR compliant. The platform gives you a roadmap of your compliance journey and points at the next steps you need to take. It allows for intra-organization collaboration and lets you assign tasks to each function within your team and monitor their progress from start to finish.

Sprinto handholds you through the compliance process and helps you resolve any issues every step of the way. We offer a unique 16-session customer on-boarding experience. This allows you to focus on your business development while we do the heavy lifting of your compliance process.