WP29, Update of Opinion on applicable law in light of the CJEU judgement in Google Spain (2010).
CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014):
55. In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.
56. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed. (page 14)
CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018):
… where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State. (page 14)
(22) 유럽연합 역내의 컨트롤러 또는 프로세서의 사업장(establishment) 활동과 관련한 개인정보 처리는 본 규정에 따라야 하고, 그 처리 자체가 유럽연합 역내에서 발생하는지 여부는 상관없다. 사업장이라 함은 안정적인 방식을 통해 효과적이고 실제적인 활동을 행하는 것을 의미한다. 그 방식의 법적 형태는 법인격을 가진 지점 또는 자회사를 통한 것인지에 관계없이 그와 관련한 결정적인 요인이 아니다.
(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
(14) 본 규정이 정하는 개인정보 보호는 국적이나 거주지에 상관없이 개인정보 처리와 관련된 개인에게 적용되어야 한다. 본 규정은 법인의 명칭과 형태 및 법인의 연락처 등 법인, 특히 법인으로 설립된 사업체와 관련된 개인정보의 처리는 다루지 않는다.
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
(EN) One of the most frequent questions asked is whether a company falls within the scope of the GDPR. It relates, among other things, to the definition of the European regulation’s territorial scope.
Here you can find a little self-assessment test:
Does the GDPR apply in these cases?
If you doubt the answers, go on reading and you will find the detailed analysis in the video lesson at the bottom of this article (in Russian).
Here are three cases, which show when it is necessary to observe the GDPR:
By the way, this paragraph does not apply only to a physical office or a registered legal entity. There are many other unobvious examples of what should be considered as the “context of the activities of an establishment”. We describe them in detail in the video.
Therefore, if, for example, a Russian citizen, being in Latvia, has used a Russian mobile application, she or he is protected by the GDPR. So the correct answer to the first question is affirmative, i.e. it is necessary to comply with the GDPR.
By the way, according to this paragraph, the GDPR also applies to other cases, which we have mentioned at the beginning of this article. For instance, in the second case, the Belarusian dating site provides a service to European citizens, as well as the American platform from the fourth case.
In comparison, in the fifth case concerning the purchase of tickets to Bali, the GDPR is not applicable, as these people have left the EU and are buying tickets in the office in India.
Do you know why in the sixth case concerning the flower delivery the GDPR does not apply, although the data of European citizens are processed? The reason is that the exception described in the recitals of the Regulation is based on a specific judicial precedent.
For more details on these recitals and court precedent, please see our video lesson.
We hope that the information was helpful. Share it with your colleagues and make sure to see our detailed video lesson below in which you will find:
전체 텍스트에 액세스하려면