(EN)
Documents
WP29, Update of Opinion on applicable law in light of the CJEU judgement in Google Spain (2010).
Case Law
CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014):
55. In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.
56. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed. (page 14)
CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018):
… where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State. (page 14)
(22) Orice prelucrare a datelor cu caracter personal în cadrul activităților unui sediu al unui operator sau al unei persoane împuternicite de operator din Uniune ar trebui efectuată în conformitate cu prezentul regulament, indiferent dacă procesul de prelucrare în sine are loc sau nu în cadrul Uniunii. Sediul implică exercitarea efectivă și reală a unei activități în cadrul unor înțelegeri stabile. Forma juridică a unor astfel de înțelegeri, prin intermediul unei sucursale sau al unei filiale cu personalitate juridică, nu este factorul determinant în această privință.
(14) Protecția conferită de prezentul regulament ar trebui să vizeze persoanele fizice, indiferent de cetățenia sau de locul de reședință al acestora, în ceea ce privește prelucrarea datelor cu caracter personal ale acestora. Prezentul regulament nu se aplică prelucrării datelor cu caracter personal care privesc persoane juridice și, în special, întreprinderi cu personalitate juridică, inclusiv numele și tipul de persoană juridică și datele de contact ale persoanei juridice.
(EN) One of the most frequent questions asked is whether a company falls within the scope of the GDPR. It relates, among other things, to the definition of the European regulation’s territorial scope.
Here you can find a little self-assessment test:
Does the GDPR apply in these cases?
If you doubt the answers, go on reading and you will find the detailed analysis in the video lesson at the bottom of this article (in Russian).
Here are three cases, which show when it is necessary to observe the GDPR:
By the way, this paragraph does not apply only to a physical office or a registered legal entity. There are many other unobvious examples of what should be considered as the “context of the activities of an establishment”. We describe them in detail in the video.
Therefore, if, for example, a Russian citizen, being in Latvia, has used a Russian mobile application, she or he is protected by the GDPR. So the correct answer to the first question is affirmative, i.e. it is necessary to comply with the GDPR.
By the way, according to this paragraph, the GDPR also applies to other cases, which we have mentioned at the beginning of this article. For instance, in the second case, the Belarusian dating site provides a service to European citizens, as well as the American platform from the fourth case.
In comparison, in the fifth case concerning the purchase of tickets to Bali, the GDPR is not applicable, as these people have left the EU and are buying tickets in the office in India.
Do you know why in the sixth case concerning the flower delivery the GDPR does not apply, although the data of European citizens are processed? The reason is that the exception described in the recitals of the Regulation is based on a specific judicial precedent.
For more details on these recitals and court precedent, please see our video lesson.
We hope that the information was helpful. Share it with your colleagues and make sure to see our detailed video lesson below in which you will find:
…
Zaloguj się
aby uzyskać dostęp do pełnego tekstu