Airteagal 3 📖 RGCS (GDPR). Raon feidhme críochach

Airteagal 3 RGCS (GDPR). Raon feidhme críochach

1. Tá feidhm ag an Rialachán seo maidir le sonraí pearsanta a phróiseáil i gcomhthéacs gníomhaíochtaí bunaíochta de chuid rialaitheora nó próiseálaithe atá lonnaithe san Aontas, is cuma cé acu an ndéantar an phróiseáil san Aontas nó nach ndéantar.

Dlí Treoirlínte & Cásanna Recitals Téacsanna gaolmhara

Dlí Treoirlínte & Cásanna

(EN)

Documents

WP29, Update of Opinion on applicable law in light of the CJEU judgement in Google Spain (2010).

Case Law

CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014):

55. In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.

56. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed. (page 14)

CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018):

… where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State. (page 14)

Recitals

(22) Maidir le haon phróiseáil a dhéantar ar shonraí pearsanta i gcomhthéacs gníomhaíochtaí bunaíochta de chuid rialaitheora nó próiseálaí san Aontas, ba cheart an phróiseáil sin a dhéanamh i gcomhréir leis an Rialachán seo, is cuma má dhéantar an phróiseáil féin laistigh den Aontas nó mura ndéantar. Tugtar le tuiscint le húsáid an fhocail “bunaíocht” go ndéantar gníomhaíocht éifeachtach iarbhír inti trí shocruithe seasmhacha. Ní hí foirm dhlíthiúil na bunaíochta sin, cibé acu an brainse nó fochuideachta a bhfuil pearsantacht dhlíthiúil aici í, an toisc chinntitheach ina leith sin.

(14) Ba cheart feidhm a bheith ag an gcosaint a bhfuil foráil déanta ina leith sa Rialachán seo maidir le daoine nádúrtha, is cuma cén náisiúntacht atá acu nó cén áit a bhfuil cónaí orthu, i ndáil leis an bpróiseáil a dhéantar ar a sonraí pearsanta. Ní chumhdaítear leis an Rialachán seo an phróiseáil a dhéantar ar shonraí pearsanta a bhaineann le daoine dlítheanacha agus go háirithe le gnóthais a bhfuil pearsantacht dhlíthiúil acu, lena n-áirítear ainm agus foirm an duine dhlítheanaigh agus sonraí teagmhála an duine dhlítheanaigh.

Téacsanna gaolmhara

2. Tá feidhm ag an Rialachán seo maidir le próiseáil arna déanamh ag rialaitheoir nó ag próiseálaí nach bhfuil bunaithe san Aontas ar shonraí pearsanta ábhar sonraí atá san Aontas, i gcás ina mbaineann na gníomhaíochtaí próiseála leis an méid seo a leanas:

Téacsanna gaolmhara

(a) seirbhísí nó earraí a thairiscint d’ábhair sonraí den chineál sin san Aontas, is cuma an gá don ábhar sonraí íocaíocht a dhéanamh; nó

Recitals Téacsanna gaolmhara

Recitals

(23) Chun a áirithiú nach ndéantar an chosaint atá daoine nádúrtha i dteideal a fháil faoin Rialachán seo a bhaint díobh, ba cheart an phróiseáil a dhéanann rialaitheoir nó próiseálaí nach bhfuil bunaithe san Aontas ar shonraí pearsanta na n-ábhar sonraí agus atá san Aontas a bheith faoi réir an Rialacháin seo i gcás ina mbaineann na gníomhaíochtaí próiseála le hearraí nó seirbhísí a thairiscint d'ábhair sonraí den sórt sin beag beann ar cé acu an bhfuil an tairiscint bainteach le híocaíocht nó nach bhfuil. Chun a chinneadh an bhfuil earraí nó seirbhísí á dtairiscint ag an rialaitheoir nó ag an bpróiseálaí sin d'ábhair sonraí, ar daoine iad atá san Aontas, ba cheart a fháil amach an bhfuil sé soiléir go bhfuil sé beartaithe ag an rialaitheoir nó ag an bpróiseálaí seirbhísí a thairiscint d'ábhair sonraí i gceann amháin nó níos mó de na Ballstáit atá san Aontas. De bhrí nach leor inrochtaineacht ar shuíomh gréasáin an rialaitheora, an phróisealaí ná idirghabhálaí san Aontas, ar sheoladh ríomhphoist nó ar shonraí teagmhála eile nó ar theanga a mbaintear úsáid aisti i gcoitinne i dtríú tír ina bhfuil an rialaitheoir bunaithe, chun a fháil amach an bhfuil rún den sórt sin ag an rialaitheoir, d'fhéadfadh sé go dtabharfaí le fios, le fachtóirí amhail úsáid teanga nó airgeadra a mbaintear úsáid aisti nó as i gcoitinne i mBallstát amháin nó níos mó a bhfuil an deis ann nó iontu earraí agus seirbhísí a ordú sa teanga eile sin, nó le fachtóir amhail custaiméirí nó úsáideoirí atá san Aontas a bheith á lua, go bhfuil sé beartaithe ag an rialaitheoir earraí nó seirbhísí a thairiscint san Aontas d'ábhair sonraí.

Téacsanna gaolmhara

(b) faireachán a dhéanamh ar iompar na ndaoine sin chomh fada agus a dhéantar a n-iompar siúd laistigh den Aontas.

Recitals Téacsanna gaolmhara

Recitals

(24) An phróiseáil a dhéanann rialaitheoir nó próiseálaí nach bhfuil bunaithe san Aontas ar shonraí pearsanta na n-ábhar sonraí agus atá san Aontas, ba cheart í a bheith faoi réir an Rialacháin seo freisin i gcás ina mbaineann sí le faireachán a dhéantar ar iompar ábhar sonraí den sórt sin a mhéid a tharlaíonn a n-iompar laistigh den Aontas. Chun a chinneadh an féidir a mheas an ndéanann gníomhaíocht próiseála faireachán ar iompar na n-ábhar sonraí do na sonraí, ba cheart a fháil amach an bhfuil daoine nádúrtha á rianú ar an idirlíon lena n-áirítear úsáid a d'fhéadfaí á baint ina dhiaidh sin as teicníochtaí próiseála sonraí pearsanta, ar teicníochtaí iad lena ndéantar duine nádúrtha a phróifíliú, go háirithe chun cinntí a dhéanamh maidir leis an duine sin nó chun anailís nó tuar a dhéanamh ar shainroghanna, iompar agus dearcadh an duine sin.

Téacsanna gaolmhara

3. Tá feidhm ag an Rialachán seo maidir le próiseáil sonraí pearsanta ag rialaitheoir nach bhfuil bunaithe san Aontas ach atá bunaithe in áit a bhfuil feidhm ag dlí Ballstáit de bhua dlí poiblí idirnáisiúnta.

Recitals

(25) I gcás ina bhfuil feidhm ag dlí Ballstáit de bhua dlí phoiblí idirnáisiúnta, ba cheart feidhm a bheith ag an Rialachán seo freisin maidir le rialaitheoir nach bhfuil bunaithe san Aontas ach atá, mar shampla, i misean taidhleoireachta nó post consalach de chuid Ballstáit.

An Rialachán Ginearálta maidir le Cosaint Sonraí (RGCS, GDPR)

Tráchtaireacht Recitals Dlí Treoirlínte & Cásanna Leave a comment

Tráchtaireacht

(EN) One of the most frequent questions asked is whether a company falls within the scope of the GDPR. It relates, among other things, to the definition of the European regulation’s territorial scope.

Here you can find a little self-assessment test:

Does the GDPR apply in these cases?

A Russian mobile application processes the geolocation data of Russian and foreign nationals in the EU.
A Belarusian dating site collects contact information from all its users. Americans and Europeans who come to Belarus and want to meet local women can also register on the site.
An Italian chain has opened a new hotel in Kyiv, where both Europeans and citizens of other countries stay. Guests registration is carried out on the Italian site, and data are processed in the head office of the management company in Italy.
An American training platform uses personal data to sell online courses around the world.
EU nationals, who are on vacation in India, came to an Austrian airline’s local office in Mumbai to fly to Bali for a couple of days. For this purpose, their passport information and bank card data were collected, as well as the information that the passengers are vegetarians.
EU users visit the site of a company from Rostov-on-Don 2-3 times a month and order flower deliveries in the city for their loved ones. The site is in Russian. Deliveries are only in Rostov. The currency of payment is the Russian ruble.

If you doubt the answers, go on reading and you will find the detailed analysis in the video lesson at the bottom of this article (in Russian).

Here are three cases, which show when it is necessary to observe the GDPR:

When data are processed in the context of the activities of an establishment in the EU. In other words, if the office is physically located in any of the EU countries and the data are processed in that office, the GDPR applies. Thus, the correct answer to the third question concerning the Italian hotel is affirmative, i.e. it is necessary to comply with the GDPR.

By the way, this paragraph does not apply only to a physical office or a registered legal entity. There are many other unobvious examples of what should be considered as the “context of the activities of an establishment”. We describe them in detail in the video.

When the data subject is in the EU and the processing relates to the supply of goods and services. In this case, “data subject” does not refer only to European citizens, but also to people from other countries who are passing through, traveling, or staying temporary in Europe. At the same time, the goods and services do not necessarily have to be paid for. For example, a free mobile app that you have downloaded.

Therefore, if, for example, a Russian citizen, being in Latvia, has used a Russian mobile application, she or he is protected by the GDPR. So the correct answer to the first question is affirmative, i.e. it is necessary to comply with the GDPR.

By the way, according to this paragraph, the GDPR also applies to other cases, which we have mentioned at the beginning of this article. For instance, in the second case, the Belarusian dating site provides a service to European citizens, as well as the American platform from the fourth case.

In comparison, in the fifth case concerning the purchase of tickets to Bali, the GDPR is not applicable, as these people have left the EU and are buying tickets in the office in India.

Do you know why in the sixth case concerning the flower delivery the GDPR does not apply, although the data of European citizens are processed? The reason is that the exception described in the recitals of the Regulation is based on a specific judicial precedent.

For more details on these recitals and court precedent, please see our video lesson.

When you monitor behaviour within the EU. These situations are rare. And that rule does not apply to any of the cases from this article. More detailed information can be found in the video.

We hope that the information was helpful. Share it with your colleagues and make sure to see our detailed video lesson below in which you will find:

A detailed explanation of the diagram “the territorial scope of the GDPR”;
Explanation of articles, recitals, judicial precedents, and clarification by the supervisory authority;
Further examples and cases from practice;
Detailed case analysis from this article.

(EN) […]

(EN) Sign in
to read the full text

(EN) Author