Article 3
Territorial scope

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 3 keyboard_arrow_down Hide the recitals of the Regulation related to article 3 keyboard_arrow_up

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(25) Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Show the recitals of the Directive related to article 3 keyboard_arrow_down Hide the recitals of the Directive related to article 3 keyboard_arrow_up

(18) Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;

(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;

(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

(21) Whereas this Directive is without prejudice to the rules of territoriality applicable in criminal matters;

The GDPR

The first territorial application criterion is maintained in article 3 of the Regulation: as such the Regulation is applicable to the processing performed in the context of the activities of an establishment of the controller in the territory of the Union but it is also - and this is new - that of the processor. This clarification will prevent any discussion on the law applicable to it. The final version clarifies that this criterion is assessed, regardless of whether the processing takes place in the Union or not.

The controller is defined in Article 4, 7) of the Regulation as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by the law of the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”. Of course here, the criterion aims at determining the application of the Regulation itself and in addition to a national law of a Member State as in the Directive.

On the other hand by the definition of "main establishment" (see Art. 4, 16), the Regulation seeks a solution to locate in the Union the establishment to consider, whether it's a controller or a processor. The usefulness of these definitions is in identifying the competent supervising authority, that's why we refer to the commentary to Article 56.

The Regulation introduces also a new rule of extraterritorial application of European law to prevent it from being bypassed by a controller or a processor whose activities or establishment would be located outside the territory of the EU.

So, the Regulation would be applicable from the moment where:

- the processing activities are related to the supply of goods or services to natural persons on the territory of the Union, whether a payment of the data subject is required or not. This clarification means that the controller may not object to the free use of the goods or services to escape from the application of the Regulation.

To determine if this criterion is met, it should be considered whether the controller is planning to do business with persons residing in the Union. Recital 23 also specifies that the simple accessibility of the Internet site of the controller or of an intermediary in the Union is not sufficient to establish the intention of the controller to provide goods or services to persons located in the territory of the Union. The following factors should be therefore taken into account: the use of a language or a currency usually used in the Union; the possibility to order goods and services in that other language; the mention of clients or users residing in the Union (see recital 20).

-the processing activities are related to the observation of human behaviour, as long as these behaviours are involved within the Union. According to recital 24, in order to determine if a processing activity may be regarded as "observation" of the behaviour of the data subjects, it is necessary to establish whether these people are traced on the Internet using any data processing techniques to analyze the profile of an individual, in order to take any decisions with respect to them or analyze or predict his or her preferences, his or her behaviour and mindset.

Finally, the Regulation maintains its extraterritorial application in cases where a rule of public international law of the place of establishment of the controller lead to the application of the national law of a Member State. As specified in recital 25, this hypothesis includes the diplomatic missions and the consular posts of a Member State.

The Directive

The EU legislature had planned a particularly broad territorial scope in order to ensure that no person will be excluded from the protection guaranteed by the Regulation and that this protection will not be bypassed (see G29, comment 08/2010 of 16 December 2010 on the applicable law).

The main criterion for application of European data protection law depended on the location of the controller in the territory of the Union in the context of the activities of an establishment of the controller.  This criterion implies the demonstration of two elements:

  • on the one hand, the controller must have an establishment in the territory of a Member State which involves exercising effective and real activity through a stable installation, regardless of the legal form of the business and regardless of the legal form of establishment (e.g., a branch or a subsidiary with legal personality). The Court of Justice of the Union calls for a flexible design of the concept of establishment which rules out any formalistic approach whereby an enterprise would be established in the place where it is registered only (see CJEU, 1 October 2015, C-230/14, p. 29);

 

  • On the other hand, the processing must be carried out as part of the activities of this establishment in the territory of a Member State. The Court of justice of the Union specifies that in view of the objective of the Directive to ensure effective protection of the freedoms and rights of individuals, the expression "as part of the activities of an establishment' must not be given a restrictive interpretation. According to the Court of justice of the Union, the personal data processing should not be effected "by" the concerned establishment itself, but only "within its activities" (CJEU, judgment of 13 May 2014, Google Spain and Google, C-131/12, point 53).

The Directive also contained two criteria of extraterritorial application of European law when the controller had no establishment in the territory of the Union. In the absence of establishment in the EU, the Directive remained applicable:

- When the controller resorted, for processing purposes, to means  that were located on the territory of the Union, unless these means were used only for purposes of transit through the territory of the Union. The notion of means of processing unfortunately was not subject to any legal definition, it gave rise to extensive jurisprudential and doctrinal debates. For example, the Group Article 29 believes that cookies or javascript barriers are processing means; according to CNIL, the use of  Google cars  on French territory constitutes processing means (CNIL, Deliberation No. 2011-035 of 17 March 2011)). In this case, the controller must designate a representative established on the territory of that Member State.

-When the national law of the controller was applied, under the international public law. This hypothesis includes in particular the embassies, which must comply with European law, despite the absence of an establishment in the Union.

Potential issues

The extraterritorial application of the Regulation was inevitable in view of the evolution of technology and the omnipotence of some established companies outside the Union, offering goods and services on the Internet and therefore, if appropriate, to a community present on the European territory, the data of which are collected on the occasion of the offer and can then be processed outside the EU. The Court of Justice had already admitted the principle while having to quarter the criterion of connection to the permanent establishment.

This extraterritorial application leads to the difficult issue of the implementation of the decisions that would be obtained against a controller located outside the Union, perhaps in addition to the closure of access to its site when technically possible.

However, the Regulation does not give a criterion of connection of the multiple national laws to be taken under the Regulation (for example to implement an exception to one or the other principle of protection). Should we revert to the old criterion or each Member State will be free to apply its own international law to determine it, which may only pose difficulties?

Group 29

Guidelines for identifying a controller or processor’s lead supervisory authority (5 April 2017)

(Endorsed by the EDPB)

Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:

- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the

- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.

Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.

Link

CJEU caselaw

C-131/12 (13 May 2014)

1.      Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

2.      Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

3.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

4.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

Opinion of Advocate general

Judgment of the Court

C-230/14 (1 October 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

C-191/15 (28 July 2016)

1.      Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) and Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II) must be interpreted as meaning that, without prejudice to Article 1(3) of each of those regulations, the law applicable to an action for an injunction within the meaning of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests directed against the use of allegedly unfair contractual terms by an undertaking established in a Member State which concludes contracts in the course of electronic commerce with consumers resident in other Member States, in particular in the State of the court seised, must be determined in accordance with Article 6(1) of Regulation No 864/2007, whereas the law applicable to the assessment of a particular contractual term must always be determined pursuant to Regulation No 593/2008, whether that assessment is made in an individual action or in a collective action.

2.      Article 3(1) of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts must be interpreted as meaning that a term in the general terms and conditions of a seller or supplier which has not been individually negotiated, under which the contract concluded with a consumer in the course of electronic commerce is to be governed by the law of the Member State in which the seller or supplier is established, is unfair in so far as it leads the consumer into error by giving him the impression that only the law of that Member State applies to the contract, without informing him that under Article 6(2) of Regulation No 593/2008 he also enjoys the protection of the mandatory provisions of the law that would be applicable in the absence of that term, this being for the national court to ascertain in the light of all the relevant circumstances.

3.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the processing of personal data carried out by an undertaking engaged in electronic commerce is governed by the law of the Member State to which that undertaking directs its activities, if it is shown that the undertaking carries out the data processing in question in the context of the activities of an establishment situated in that Member State. It is for the national court to ascertain whether that is the case.

Opinion of Advocate general 

Judgment of the Court 

C- 210/16 (5 June 2018)

1. Articles 4 and 28 of Directive 95/46 must be interpreted as meaning that, where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State.

2 . Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 must be interpreted as meaning that, where the supervisory authority of a Member State intends to exercise with respect to an entity established in the territory of that Member State the powers of intervention referred to in Article 28(3) of that directive, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Opinion of advocate general

Judgment of the court

Regulation
1e 2e

Art. 3

1.   This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2.   This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.   This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

1st proposal close

Art. 3

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services to such data subjects in the Union; or

(b) the monitoring of their behaviour.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

 

2nd proposal close

Art. 3

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

 

Directive close

Art. 4

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

REVOKED BY D.Lgs. 101/2018

The EU Regulation n.2016/679 fully apply.

Old law close

Art. 5 D.Lgs. 196/2003 - Subject-Matter and Scope of Application

1. This Code shall apply to the processing of personal data, including data held abroad, where the processing is performed by any entity established either in the State’s territory or in a place that is under the State’s sovereignty.

2. This Code shall also apply to the processing of personal data that is performed by an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the State’s territory, unless such equipment is used only for purposes of transit through the territory of the European Union.

close