Article 2 GDPR. Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Guidelines on consent under Regulation 2016/679

Free / freely given [12]

13. The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. [13] If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. [14] The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

_{[13] See Opinion 15/2011 on the definition of consent (WP187), p. 12}

_{[14] See Recitals 42, 43 GDPR and WP29 Opinion 15/2011 on the definition of consent, adopted on 13 July 2011, (WP 187), p. 12.}

14. When assessing whether consent is freely given, one should also take into account the specific situation of tying consent into contracts or the provision of a service as described in Article 7(4). Article 7(4) has been drafted in a non-exhaustive fashion by the words “inter alia”, meaning that there may be a range of other situations which are caught by this provision. In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid.

43. Recital 43 clarifies that consent is presumed not to be freely given if the process/procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations respectively (e.g. only for some processing operations and not for others) despite it being appropriate in the individual case. Recital 32 states “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”.

Minimum content requirements for consent to be ‘informed’

64. For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, the EDPB is of the opinion that at least the following information is required for obtaining valid consent: i. the controller’s identity, [30] ii. the purpose of each of the processing operations for which consent is sought,[31] iii. what (type of) data will be collected and used, [32] iv. the existence of the right to withdraw consent,[33] v. information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)[34] where relevant, and vi. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.[35]

_{[30] See also Recital 42 GDPR: “ […]For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.[…].”}

_{[31] Again, see Recital 42 GDPR}

_{[32] See also WP29 Opinion 15/2011 on the definition of consent (WP 187) pp.19-20}

_{[33] See Article 7(3) GDPR}

_{[34] See also WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251), paragraph IV.B, p. 20 onwards.}

_{[35] Pursuant to Article 49 (1)(a), specific information is required about the absence of safeguards described in Article 46, when explicit consent is sought. See also WP29 Opinion 15/2011 on the definition of consent (WP 187)p. 19}

Unambiguous indication of wishes

75. The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.

77. A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing.[41] Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.

_{[41] See Commission Staff Working Paper, Impact Assessment, Annex 2, p. 20 and also pp. 105-106: “As also pointed out in the opinion adopted by WP29 on consent, it seems essential to clarify that valid consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent, while making clear that – in the context of the on-line environment – the use of default options which the data subject is required to modify in order to reject the processing (‘consent based on silence’) does not in itself constitute unambiguous consent. This would give individuals more control over their own data, whenever processing is based on his/her consent. As regards impact on data controllers, this would not have a major impact as it solely clarifies and better spells out the implications of the current Directive in relation to the conditions for a valid and meaningful consent from the data subject. In particular, to the extent that ‘explicit’ consent would clarify – by replacing «unambiguous» – the modalities and quality of consent and that it is not intended to extend the cases and situations where (explicit) consent should be used as a ground for processing, the impact of this measure on data controllers is not expected to be major.”}

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Processing of personal data carried out “in the context of the activities of” an establishment

The EDPB considers that, for the purpose of Article 3(1), the meaning of “processing in the context of the activities of an establishment of a controller or a processor” is to be understood in light of the relevant case law. On the one hand, with a view to fulfilling the objective of ensuring effective and complete protection, the meaning of “in the context of the activities of an establishment” cannot be interpreted restrictively [12]. On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. Some commercial activity carried out by a non-EU entity within a Member State may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law [13].

_{[12] Weltimmo, paragraph 25 and Google Spain, paragraph 53.}

_{[13] G29 WP 179 update – Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, 16th December 2015}

Consideration of the following two factors may help to determine whether the processing is being carried out by a controller or processor in the context of its establishment in the Union

i) Relationship between a data controller or processor outside the Union and its local establishment in the Union

The data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, and thereby may trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself [14]. If a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data [15].

_{[14] CJEU, Google Spain, Case C‑131/12}

_{[15] G29 WP 179 update – Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, 16th December 2015}

ii) Revenue raising in the Union

Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment”, and may be sufficient to result in the application of EU law to such processing [16].

_{[16] This may potentially be the case, for example, for any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing, in particular where the processing takes place in the context of the sales activity in the EU and the activities of the establishment are aimed at the inhabitants of the Member States in which the establishment is located (WP179 update).}

Article 27 GDPR. Representatives of controllers or processors not established in the Union

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

[…]

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

“An establishment in the Union”

The threshold for “stable arrangement [9]” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee.

_{[9] Weltimmo, paragraph 31.}

The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law. Although the notion of establishment is broad, it is not without limits. It is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union [10].

_{[10] CJEU, Verein für Konsumenteninformation v. Amazon EU Sarl, Case C‑191/15, 28 July 2016, paragraph 76 (hereafter “Verein für Konsumenteninformation”).}

Guidelines on consent under Regulation 2016/679

129. While assessing the scope of this definition, the EDPB also refers to case law of the ECJ.[62] The ECJ held that information society services cover contracts and other services that are concluded or transmitted on-line. Where a service has two economically independent components, one being the online component, such as the offer and the acceptance of an offer in the context of the conclusion of a contract or the information relating to products or services, including marketing activities, this component is defined as an information society service, the other component being the physical delivery or distribution of goods is not covered by the notion of an information society service. The online delivery of a service would fall within the scope of the term information society service in Article 8 GDPR.

_{[62] See European Court of Justice, 2 December 2010 Case C-108/09, (Ker-Optika), paragraphs 22 and 28. In relation to ‘composite services’, the EDPB also refers to Case C-434/15 (Asociacion Profesional Elite Taxi v Uber Systems Spain SL), para 40, which states that an information society service forming an integral part of an overall service whose main component is not an information society service (in this case a transport service), must not be qualified as ‘an information society service’.}