3 straipsnis 📖 BDAR. Teritorinė taikymo sritis

3 straipsnis BDAR. Teritorinė taikymo sritis

Article 3 GDPR. Territorial scope

1. Šis reglamentas taikomas asmens duomenų tvarkymui, kai asmens duomenis Sąjungoje tvarko duomenų valdytojo arba duomenų tvarkytojo buveinė, vykdydama savo veiklą, neatsižvelgiant į tai, ar duomenys tvarkomi Sąjungoje, ar ne.

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Gairės & Byla Teisė Konstatuojamosios dalys Jungtys

Gairės & Byla Teisė

(EN)

Documents

WP29, Update of Opinion on applicable law in light of the CJEU judgement in Google Spain (2010).

Case Law

CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014):

55. In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.

56. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed. (page 14)

CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018):

… where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State. (page 14)

Konstatuojamosios dalys

(22) bet koks asmens duomenų tvarkymas, kai asmens duomenis Sąjungoje vykdydama savo veiklą tvarko duomenų valdytojo arba duomenų tvarkytojo buveinė, turėtų vykti pagal šį reglamentą, neatsižvelgiant į tai, ar pati tvarkymo operacija atliekama Sąjungoje. Buveinė reiškia, kad per stabilias struktūras vykdoma veiksminga ir reali veikla. Teisinė tokių struktūrų forma, neatsižvelgiant į tai, ar tai filialas ar patronuojamoji bendrovė, turinti juridinio asmens statusą, tuo požiūriu nėra lemiamas veiksnys;

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

(14) šiuo reglamentu užtikrinama apsauga turėtų būti taikoma fiziniams asmenims tvarkant jų asmens duomenis, neatsižvelgiant į jų pilietybę ar gyvenamąją vietą. Šis reglamentas neapimama juridinių asmenų ir visų pirma su juridinio asmens statusą turinčių įmonių duomenų, įskaitant juridinio asmens pavadinimą, teisinę formą ir kontaktinius duomenis, tvarkymo;

(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Jungtys

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

“An establishment in the Union”

The threshold for “stable arrangement [9]” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee.

_{[9] Weltimmo, paragraph 31.}

The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law. Although the notion of establishment is broad, it is not without limits. It is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union [10].

_{[10] CJEU, Verein für Konsumenteninformation v. Amazon EU Sarl, Case C‑191/15, 28 July 2016, paragraph 76 (hereafter “Verein für Konsumenteninformation”).}

Processing of personal data carried out “in the context of the activities of” an establishment

The EDPB considers that, for the purpose of Article 3(1), the meaning of “processing in the context of the activities of an establishment of a controller or a processor” is to be understood in light of the relevant case law. On the one hand, with a view to fulfilling the objective of ensuring effective and complete protection, the meaning of “in the context of the activities of an establishment” cannot be interpreted restrictively [12]. On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. Some commercial activity carried out by a non-EU entity within a Member State may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law [13].

_{[12] Weltimmo, paragraph 25 and Google Spain, paragraph 53.}

_{[13] G29 WP 179 update – Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, 16th December 2015}

Consideration of the following two factors may help to determine whether the processing is being carried out by a controller or processor in the context of its establishment in the Union

i) Relationship between a data controller or processor outside the Union and its local establishment in the Union

The data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, and thereby may trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself [14]. If a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data [15].

_{[14] CJEU, Google Spain, Case C‑131/12}

_{[15] G29 WP 179 update – Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, 16th December 2015}

ii) Revenue raising in the Union

Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment”, and may be sufficient to result in the application of EU law to such processing [16].

_{[16] This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located (WP179 update).}

2. Šis reglamentas taikomas asmens duomenų tvarkymui, kai Sąjungoje esančių duomenų subjektų asmens duomenis tvarko Sąjungoje neįsisteigęs duomenų valdytojas arba duomenų tvarkytojas ir duomenų tvarkymo veikla yra susijusi su:

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

Jungtys

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Data subjects in the Union

The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed. Recital 14 confirms this interpretation and states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.

While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), the EDPB considers that the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the Regulation.

The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.

a) prekių arba paslaugų siūlymu tokiems duomenų subjektams Sąjungoje, nepaisant to, ar už šias prekes arba paslaugas duomenų subjektui reikia mokėti; arba

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

Konstatuojamosios dalys Jungtys

Konstatuojamosios dalys

(23) kad fiziniams asmenims būtų užtikrinta apsauga, į kurią jie turi teisę pagal šį reglamentą, šis reglamentas turėtų būti taikomas Sąjungoje esančių duomenų subjektų asmens duomenų, kuriuos tvarko Sąjungoje neįsisteigęs duomenų valdytojas arba duomenų tvarkytojas, tvarkymui, kai duomenų tvarkymo veikla yra susijusi su prekių ar paslaugų siūlymu tokiems duomenų subjektams, neatsižvelgiant į tai, ar tai susiję su mokėjimu. Siekiant nustatyti, ar toks duomenų valdytojas arba duomenų tvarkytojas siūlo prekes ar paslaugas Sąjungoje esantiems duomenų subjektams, turėtų būti įsitikinta, ar akivaizdu, kad tas duomenų valdytojas arba duomenų tvarkytojas numato teikti paslaugas duomenų subjektams vienoje ar keliose valstybėse narėse Sąjungoje. Kadangi vien tik to, kad Sąjungoje yra prieinami duomenų valdytojo, duomenų tvarkytojo ar tarpininko interneto svetainė ar el. pašto adresas, ir kiti kontaktiniai duomenys arba kad vartojama kalba, kuri paprastai vartojama trečiojoje valstybėje, kurioje yra įsisteigęs duomenų valdytojas, nepakanka įsitikinti, kad esama tokio ketinimo, tokie veiksniai kaip kalbos ar valiutos, paprastai vartojamų (naudojamų) vienoje ar keliose valstybėse narėse, vartojimas (naudojimas) su galimybe užsisakyti prekes ir paslaugas ta kita kalba, arba Sąjungoje esančių vartotojų ar naudotojų minėjimas gali būti aspektai, iš kurių aišku, kad duomenų valdytojas numato siūlyti prekes ar paslaugas duomenų subjektams Sąjungoje;

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Jungtys

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union

The first activity triggering the application of Article 3(2) is the “offering of goods or services”, a concept which has been further addressed by EU law and case law, which should be taken into account when applying the targeting criterion. The offering of services also includes the offering of information society services, defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 [23] as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

_{[23] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.}

Another key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union. Recital 23 of the GDPR indeed clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”

The elements listed in Recital 23 echo and are in line with the CJEU case law based on Council Regulation 44/2001 [25] on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, and in particular its Article 15(1)(c). In Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09), the Court was asked to clarify what it means to “direct activity” within the meaning of Article 15(1)(c) of Regulation 44/2001 (Brussels I). The CJEU held that, in order to determine whether a trader can be considered to be “directing” its activity to the Member State of the consumer’s domicile, within the meaning of Article 15(1)(c) of Brussels I, the trader must have manifested its intention to establish commercial relations with such consumers. In this context, the CJEU considered evidence able to demonstrate that the trader was envisaging doing business with consumers domiciled in a Member State.

_{[25] Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.}

While the notion of “directing an activity” differs from the “offering of goods or services”, the EDPB deems this case law in in Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09) [26] might be of assistance when considering whether goods or services are offered to a data subject in the Union. When taking into account the specific facts of the case, the following factors could therefore inter alia be taken into consideration, possibly in combination with one another:

_{[26] It is all the more relevant that, under Article 6 of Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I), in absence of choice of law, this criterion of “directing activity” to the country of the consumer’s habitual residence is taken into account to designate the law of the consumer’s habitual residence as the law applicable to the contract.}

– The EU or at least one Member State is designated by name with reference to the good or service offered;

– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience

– The international nature of the activity at issue, such as certain tourist activities;

– The mention of dedicated addresses or phone numbers to be reached from an EU country;

– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

– The description of travel instructions from one or more other EU Member States to the place where the service is provided;

– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;

– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;

– The data controller offers the delivery of goods in EU Member States.

b) elgesio, kai jie veikia Sąjungoje, stebėsena.

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Konstatuojamosios dalys Jungtys

Konstatuojamosios dalys

(24) šis reglamentas taip pat turėtų būti taikomas Sąjungoje esančių duomenų subjektų asmens duomenų, kuriuos tvarko Sąjungoje neįsisteigęs duomenų valdytojas arba duomenų tvarkytojas, tvarkymui, kai duomenų tvarkymas susijęs su tokių duomenų subjektų elgesio tiek, kiek jų elgesys vyksta Sąjungoje, stebėsena. Siekiant nustatyti, ar duomenų tvarkymo veikla gali būti laikoma duomenų subjektų elgesio stebėsena, reikėtų įsitikinti, ar fiziniai asmenys internete atsekami, be kita ko, vėliau galbūt taikant asmens duomenų tvarkymo metodus, kuriais fiziniam asmeniui suteikiamas profilis, ypač siekiant priimti su juo susijusius sprendimus arba išnagrinėti ar prognozuoti jo asmeninius pomėgius, elgesį ir požiūrius;

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Jungtys

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Monitoring of data subjects’ behaviour

For Article 3(2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.

The nature of the processing activity which can be considered as behavioural monitoring is further specified in Recital 24 which states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” While Recital 24 exclusively relates to the monitoring of a behaviour through the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.

As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behaviour, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration.

The application of Article 3(2)(b) where a data controller or processor monitors the behaviour of data subjects who are in the Union could therefore encompass a broad range of monitoring activities, including in particular:

– Behavioural advertisement

– Geo-localisation activities, in particular for marketing purposes

– Online tracking through the use of cookies or other tracking techniques such as fingerprinting

– Personalised diet and health analytics services online

– CCTV

– Market surveys and other behavioural studies based on individual profiles

– Monitoring or regular reporting on an individual’s health status

3. Šis reglamentas taikomas asmens duomenų tvarkymui, kai asmens duomenis tvarko duomenų valdytojas, įsisteigęs ne Sąjungoje, o vietoje, kurioje pagal viešąją tarptautinę teisę taikoma valstybės narės teisė.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Konstatuojamosios dalys

(25) kai pagal tarptautinę viešąją teisę taikoma valstybės narės teisė, pavyzdžiui, valstybių narių diplomatinėse atstovybėse ar konsulinėse įstaigose, šis reglamentas taip pat turėtų būti taikomas Sąjungoje neįsisteigusiems duomenų valdytojams;

(25) Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.

Europos Sąjungos Bendrasis duomenų apsaugos reglamentas (BDAR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Ekspertų komentarai Konstatuojamosios dalys Gairės & Byla Teisė Palikite komentarą

Ekspertų komentarai

(EN) One of the most frequent questions asked is whether a company falls within the scope of the GDPR. It relates, among other things, to the definition of the European regulation’s territorial scope.

Here you can find a little self-assessment test:

Does the GDPR apply in these cases?

A Russian mobile application processes the geolocation data of Russian and foreign nationals in the EU.
A Belarusian dating site collects contact information from all its users. Americans and Europeans who come to Belarus and want to meet local women can also register on the site.
An Italian chain has opened a new hotel in Kyiv, where both Europeans and citizens of other countries stay. Guests registration is carried out on the Italian site, and data are processed in the head office of the management company in Italy.
An American training platform uses personal data to sell online courses around the world.
EU nationals, who are on vacation in India, came to an Austrian airline’s local office in Mumbai to fly to Bali for a couple of days. For this purpose, their passport information and bank card data were collected, as well as the information that the passengers are vegetarians.
EU users visit the site of a company from Rostov-on-Don 2-3 times a month and order flower deliveries in the city for their loved ones. The site is in Russian. Deliveries are only in Rostov. The currency of payment is the Russian ruble.

If you doubt the answers, go on reading and you will find the detailed analysis in the video lesson at the bottom of this article (in Russian).

Here are three cases, which show when it is necessary to observe the GDPR:

When data are processed in the context of the activities of an establishment in the EU. In other words, if the office is physically located in any of the EU countries and the data are processed in that office, the GDPR applies. Thus, the correct answer to the third question concerning the Italian hotel is affirmative, i.e. it is necessary to comply with the GDPR.

By the way, this paragraph does not apply only to a physical office or a registered legal entity. There are many other unobvious examples of what should be considered as the “context of the activities of an establishment”. We describe them in detail in the video.

When the data subject is in the EU and the processing relates to the supply of goods and services. In this case, “data subject” does not refer only to European citizens, but also to people from other countries who are passing through, traveling, or staying temporary in Europe. At the same time, the goods and services do not necessarily have to be paid for. For example, a free mobile app that you have downloaded.

Therefore, if, for example, a Russian citizen, being in Latvia, has used a Russian mobile application, she or he is protected by the GDPR. So the correct answer to the first question is affirmative, i.e. it is necessary to comply with the GDPR.

By the way, according to this paragraph, the GDPR also applies to other cases, which we have mentioned at the beginning of this article. For instance, in the second case, the Belarusian dating site provides a service to European citizens, as well as the American platform from the fourth case.

In comparison, in the fifth case concerning the purchase of tickets to Bali, the GDPR is not applicable, as these people have left the EU and are buying tickets in the office in India.

Do you know why in the sixth case concerning the flower delivery the GDPR does not apply, although the data of European citizens are processed? The reason is that the exception described in the recitals of the Regulation is based on a specific judicial precedent.

For more details on these recitals and court precedent, please see our video lesson.

When you monitor behaviour within the EU. These situations are rare. And that rule does not apply to any of the cases from this article. More detailed information can be found in the video.

We hope that the information was helpful. Share it with your colleagues and make sure to see our detailed video lesson below in which you will find:

A detailed explanation of the diagram “the territorial scope of the GDPR”;
Explanation of articles, recitals, judicial precedents, and clarification by the supervisory authority;
Further examples and cases from practice;
Detailed case analysis from this article.

…

Prisijungti
norėdami pasiekti visą tekstą

(EN) Author