Capita Selecta Privacy and Data Protection
Introduction:
20% of group assignment, 80% of written exam
- What are the questions that the Court asked and its response.
- Don’t spend a lot of time with irrelevant information such as the national legislation.
- Critical view. What is the main argument of the author?
- Grasping the decision of the court.
- Court cases are important: Facts, Arguments by heart!
Lecture 1
Capsule 1: Territorial scope of the GDPR
Article 3 GDPR
1. This Regulation applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union
by a controller or processor not established in the Union, where the processing activities are
related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject
is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the
Union, but in a place where Member State law applies by virtue of public international law.
Establishment of controller or processor in the EU
Article 4 DPD (older DP Directive)
Every MS should apply national provisions. Every country had their own DP legislation
- Important: First criteria: there is an establishment criteria, survived to GDPR
Article 3 GDPR: Things has changed when the GDPR was published
1) This regulation applies to the processing personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing takes
place in the Union or not.
- For the first time, reference to processor. GDPR focuses much more on the role of the
processors because it became evident that the latter had power. It is important to have more
rules on the processors. They may process them for their own means, they may lose them etc.
2) “ .. processing of personal data of data subjects who are in the Union by a controller or a
processor not established in the Union where the processing information are related to:”
A) The offering of goods or services
B) The monitoring of their behavior as far as their behavior takes place within the Union.
- Not protecting only residents of the EU. But anybody who is in the Union.
, Capita Selecta Privacy and Data Protection
3) “This regulation applies tot he processing of personal data by a controller not established in the
Union, but in a place where MS law applies by virtue of public International law.”
- In the cases of diplomats
Main objective of Article 4 of the Directive was to define which national law was applicable
while article 3 of the GDPR defines the territorial scope of a directly applicable text.
There has been some guidelines of concerning the territorial scope of the GDPR.
EDPB Guidelines:
“Any personal data processing in the context of the activities of an establishment of a controller or
processor in the Union would fall under the scope of the GDPR, regardless of the location or the
nationality of the data subject whose personal data are being processed.”
Who is protected?
Data of people who even reside illegally in the Union is protected. Closer to the notions of Human
Rights.
Establishment criterion:
1. What is an establishment in the Union?
2. What is meant by “processing in the context of the activities of an establishment in the Union”?
3. GDPR applicability regardless of whether the processing carried out in the context of the
activities of this establishment takes place in the Union or not
Although there is no clear definition of establishment in the GDPR,
Recital 22 states:
“Establishment implies the effective and real exercise of activity through stable arrangements.
The legal form of such arrangements, whether through a branch or a subsidiary with a legal
personality, is not the determining factor in that respect.” Not temporary.
Weitimmo case!
- CJ of EU in the context of the Weitimmo case, provided more clarification on the notion of
establishment and of the DPD. The regime on which the court was deciding on this case was the
DPD however, as the notion of the establishment was already there in the DPD and in the GDPR,
we are allowed to use the argumentation of the court for GDPR as well.
- Establishment on the territory of a MS implies the effective and real exercise of activity through
stable arrangements and the legal form of such an establishment, whether simply a branch or a
subsidiary with a legal personality, is not the determining factor.
In this case, what the CJ said in this case was translated into Recital 22 of the GDPR. You see
how judges make law in a way.
- “In order to establish whether a company...has an establishment...in a Member State ...both the
degree of stability of the arrangements and the effective exercise of activities in that ...
, Capita Selecta Privacy and Data Protection
Member State must be interpreted in the light of the specific nature of the economic activities
and the provision of services concerned. This is particularly true for undertakings offering
services exclusively over the Internet.”
- In Weltimmo the Court also said that: “controller exercises, through stable arrangements in the
territory of that Member State, a real and effective activity—even a minimal one—in the
context of which that processing is carried out.” You don’t have to have the main activity of a
company in order to establish that the establishment is one we are looking for. You need
any type of real and effective activity - even a minimal one.
- “The issue of the nationality of the persons concerned by such data processing is irrelevant.”
Even me, being non Dutch, living in the Netherlands will be protected against a company
that has an establishment in the Netherlands.
EDPB Guidelines - In the context of the activities:
It is not necessary that the processing in question is carried out “by” the relevant EU establishment
itself; the controller or processor will be subject to obligations under the GDPR whenever the
processing is carried out ”in the context of the activities” of its relevant establishment in the
Union. This was a reaction to
Google vs Spain case.
- In the latter case, the CJ used the term: “inextricably linked”. In the context of the activities of
the search engine Google.
- “The activities of the operator of the search engine and those of its establishment situated in the
Member State concerned are inextricably linked since the activities relating to the advertising
space constitute the means of rendering the search engine at issue economically profitable and
that engine is, at the same time, the means enabling those activities to be performed.”
- “when the operator of a search engine sets up in a Member State a branch or subsidiary which is
intended to promote and sell advertising space offered by that engine and which orientates its
activity towards the inhabitants of that Member State.” —> Revenue raising
- This has been implemented in the Recital: Revenue-raising in the EU by a local establishment,
to the extent that such activities can be considered as “inextricably linked” to the processing of
personal data taking place outside the EU and individuals in the EU, may be indicative of
processing by a non-EU controller or processor being carried out “in the context of the activities
of the EU establishment”, and may be sufficient to result in the application of EU law to such
processing.
- The relation between provisions that made it to the GDPR the relation they have with the existing
courts cases, what the courts said and how this affected the evolution of legation but also the
opinions and the guidelines of the EU Data protection board.
- So the notion “in the context of the activities” that we read in Article 3 of the GDPR, should be
interpreted in a very broad way as the EDPB clearly states in its guidelines.
“Regardless of whether the processing takes place in the Union or not”
- EDPB in its guidelines tried to stress its importance.
EDPB Guidelines:
- “It is the presence, through an establishment, of a data controller or processor in the EU and the
fact that a processing takes place in the context of the activities of this establishment that trigger
the application of the GDPR to its processing activities. The place of processing is therefore
, Capita Selecta Privacy and Data Protection
not relevant in determining whether or not the processing, carried out in the context of the
activities of an EU establishment, falls within the scope of the GDPR.
- The EPDB has a list of very interesting examples.
- Example 5: A pharmaceutical company with headquarters in Stockholm has located all its
personal data processing activities with regards to its clinical trial data in its branch based in
Singapore.
- In this case, while the processing activities are taking place in Singapore, that processing is
carried out in the context of the activities of the pharmaceutical company in Stockholm i.e.
of a data controller established in the Union. The provisions of the GDPR therefore
apply to such processing, as per Article 3(1).
Processing by a controller in the EU using a processor not subject to the GDPR
- EDPB stated that: If you have a controller that is based in the EU, collaborated with the
processor that is not subject to the GDPR, how do you make sure that the rights of the data
subjects are protected?
- Where a controller subject to GDPR chooses to use a processor located outside the Union for a
given processing activity, it will be necessary for the controller to ensure by contract or other
legal act that the processor processes the data in accordance with the GDPR.
Often in the exam, there are cases. Controller A, processing data, collaborating with the
processor B and C. You need to find out who is falling under the GDPR and who is not and
how does the controller ensure the application of the GDPR, the relevant provisions and the
safeguards. Knowing Article 28 is crucial as it has provisions on situations where the
processor is not bound by the GDPR. It is the resposanbility of the data controller to make sure
that specific provision are respected. Can be done through contract or legal ways.
When you know that even if the processor is not bound by the GDPR, the controller can impose the
relevant obligations through contract or another legal act. There is a list of GDPR related provisions
that are directly applicable to data processors.
Data processor established in the Union for a controller with no establishment in the Union.
