(EN)
Documents
WP29, Update of Opinion on applicable law in light of the CJEU judgement in Google Spain (2010).
Case Law
CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014):
55. In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.
56. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed. (page 14)
CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018):
… where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State. (page 14)
(22) 유럽연합 역내의 컨트롤러 또는 프로세서의 사업장(establishment) 활동과 관련한 개인정보 처리는 본 규정에 따라야 하고, 그 처리 자체가 유럽연합 역내에서 발생하는지 여부는 상관없다. 사업장이라 함은 안정적인 방식을 통해 효과적이고 실제적인 활동을 행하는 것을 의미한다. 그 방식의 법적 형태는 법인격을 가진 지점 또는 자회사를 통한 것인지에 관계없이 그와 관련한 결정적인 요인이 아니다.
(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
(14) 본 규정이 정하는 개인정보 보호는 국적이나 거주지에 상관없이 개인정보 처리와 관련된 개인에게 적용되어야 한다. 본 규정은 법인의 명칭과 형태 및 법인의 연락처 등 법인, 특히 법인으로 설립된 사업체와 관련된 개인정보의 처리는 다루지 않는다.
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
“Попадает ли наша компания под действие Регламента GDPR?” — это один из самых частых вопросов. И связан он, в том числе, с определением территории действия этого европейского документа.
Вот вам небольшой тест для самопроверки:
Применяется ли GDPR в данных ситуациях?
Если вы сомневаетесь в ответах — то читайте дальше и смотрите подробный разбор в видеоуроке внизу статьи.
Схема «Территория действия GDPR»
3 случая, когда необходимо соблюдать Регламент:
1. Если обработка данных ведется в контексте деятельности организационной единицы в ЕС. Другими словами, если офис физически находится в любой из стран Евросоюза, и в этом офисе производится обработка данных, то GDPR обязателен. Поэтому правильный ответ на 3-й вопрос, про итальянский отель в Киеве, — да, GDPR необходим.
К слову, этот пункт распространяется не только на физический офис или зарегистрированное юрлицо. Есть много других неочевидных примеров того, что следует считать “контекстом деятельности организационной единицы”. Мы рассказали о них подробнее на видео.
…
Войти
для доступа к полному тексту