Article 3 GDPR. Territorial scope

[…]

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

[…]

Article 9 GDPR. Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

[…]

Article 10 GDPR. Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Guidelines on Data Protection Officers (‘DPOs’)

2.1.3 ‘LARGE SCALE’

In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:

• the number of data subjects concerned — either as a specific number or as a proportion of the relevant population

• the volume of data and/or the range of different data items being processed

• the duration, or permanence, of the data processing activity

• the geographical extent of the processing activity.

Examples of large-scale processing include:

• processing of patient data in the regular course of business by a hospital

• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)

• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services

• processing of customer data in the regular course of business by an insurance company or a bank

• processing of personal data for behavioural advertising by a search engine

• processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:

• processing of patient data by an individual physician

• processing of personal data relating to criminal convictions and offences by an individual lawyer.

Guidelines on Data Protection Officers (‘DPOs’)

2.1.1 ‘PUBLIC AUTHORITY OR BODY’

The GDPR does not define what constitutes a ‘public authority or body’. The WP29 considers that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law [12]. In such cases, the designation of a DPO is mandatory.

_{[12] See, e.g. the definition of ‘public sector body’ and ‘body governed by public law’ in Article 2(1) and (2) of Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public-sector information (OJ L 345, 31.12.2003, p. 90).}

A public task may be carried out, and public authority may be exercised [13] not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State, public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.

_{[13] Article 6(1)(e).}

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union

The first activity triggering the application of Article 3(2) is the “offering of goods or services”, a concept which has been further addressed by EU law and case law, which should be taken into account when applying the targeting criterion. The offering of services also includes the offering of information society services, defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 [23] as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

_{[23] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.}

Another key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union. Recital 23 of the GDPR indeed clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”