Territorial and Material Scope of GDPR
Updated: Aug 12
Is your company in the territorial scope of GDPR?
This has been one of the most misunderstood parts of GDPR. Some companies work on GDPR compliance even if they are not bound by it, as well as some companies not aware they are in the scope.
GDPR Article 3 gives a broad definition of the territorial scope of GDPR;
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So what does that mean?
Criteria 1: You are established in EU as a processor or a controller. Establishment should be interpreted with a wide scope. For example the head quarters might be in another country but if the team that is responsible to make decisions on that processing activity is EU, then you are in the scope.
Criteria 2: You offer goods or services to data subjects who are in the union. Looking further into the GDPR Recital 23-24 provide a better information of how its interpreted according to the regulation. A website that is simply accessible by a global audience in itself would not indicate intention of “offering goods and services” to EU citizens. For example, it should support language of a member country or have international phone numbers for contact... The Court Justice of the European Union offers good clarification on the topic of “intention” in relation to offering your product to EU citizens, and how it can be demonstrated under the following conditions:
“Patent” evidence, such as the payment of money to a search engine to facilitate access by those within a member state or where targeted member states are designated by name;
Other factors — possibly in combination with each other — including the “international nature” of the relevant activity (e.g. certain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu), the description of “itineraries ... from member states to the place where the service is provided,” and mentions of an “international clientele composed of customers domiciled in various member states.”
Criteria 3: You monitor the behavior of EU citizens and their behavior takes place within the union. Monitoring in the GDPR framework is also referred to as “profiling,” and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, etc. It’s also important to note that Article 29 Working Party does provide other examples of monitoring including, but not limited to:
Online behavioral based advertising;
Travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
Location tracking, for example, by mobile apps; and
Monitoring of wellness, fitness and health data via wearable devices.
Article Working Party 29 suggests that organizations should consider all forms of behavior monitoring, including CCTV, smart cars, home automation, etc. With the wide scope of profiling behavior, organizations should evaluate their current online and offline operations to determine if they will be classified under the monitoring requirement.
Is your company in the material scope of GDPR?
This one is relatively easy and clear to understand because the scope is wide. GDPR Article 2 states;
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Basically, any digital data processing (keeping email list in a spreadsheet) or paper filing system is in the scope. It will be easier to tell what is not in the scope; if you are using paper files which will not be a part of a filing system (the processing is not systematic and not on scale) then this data processing is not in the scope. An example of a filing system can be as simple as chronologically ordered sets of paper records containing personal data.
If you want to get in touch and get free consultancy on GDPR, please visit our homepage.
Also, you can claim %90 discount to our GDPR Certification training using this link below; https://www.udemy.com/course/gdpr-compliance-preparation-to-cipp-e-certification-test/?referralCode=222D984161CD11E7C5F4