Der Europäische Datenschutzausschuss (EDSA/EDPB) veröffentlichte per 23. November 2018 den Entwurf seiner Guideline 3/2018 zum räumlichen Anwendungsbereich gemäss Art. 3 DSGVO zur öffentlichen Stellungnahme („Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version for public consultation“).
Die Guideline äussert sich u.a. zur Anwendung der DSGVO aufgrund (i) einer Niederlassung in der EU (Art. 3 Abs. 1 DSGVO), (ii) der Angebotsausrichtung (Art. 3 Abs. 2 lit. a DSGVO) sowie (iii) der Verhaltensüberwachung (Art. 3 Abs. 2 lit. b DSGVO). Ferner werden Ausführungen zum (iv) Vertreter von nicht in der EU niedergelassenen Verantwortlichen oder Auftragsverarbeitern gemacht (Art. 27 DSGVO).
In rund 20 Beispielen legt der Europäische Datenschutzausschuss seine Auffassung des räumlichen Anwendungsbereichs der DSGVO dar.
Ausgewählte Beispiele zur Niederlassung in der EU:
Die Guideline äussert sich u.a. zur Anwendung der DSGVO aufgrund (i) einer Niederlassung in der EU (Art. 3 Abs. 1 DSGVO), (ii) der Angebotsausrichtung (Art. 3 Abs. 2 lit. a DSGVO) sowie (iii) der Verhaltensüberwachung (Art. 3 Abs. 2 lit. b DSGVO). Ferner werden Ausführungen zum (iv) Vertreter von nicht in der EU niedergelassenen Verantwortlichen oder Auftragsverarbeitern gemacht (Art. 27 DSGVO).
In rund 20 Beispielen legt der Europäische Datenschutzausschuss seine Auffassung des räumlichen Anwendungsbereichs der DSGVO dar.
Ausgewählte Beispiele zur Niederlassung in der EU:
Example 2: An e-commerce website operated by a company based in China, whereas the data processing activities of which are exclusively carried out in China, has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets.Ausgewählte Beispiele zur Angebotsausrichtung:
In this case, it can be considered that the activities of the European office in Berlin are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website, insofar as the commercial prospection and marketing campaign towards EU markets notably serve to make the service offered by the e-commerce website profitable. The processing of personal data by the Chinese company can therefore be considered as carried out in the context of the activities of the European office, as an establishment in the Union, and therefore be subject to the provisions of the GDPR as per its Article 3(1).
Example 5: A pharmaceutical company with headquarters in Stockholm has located all its personal data processing activities with regards to its clinical trial data in its branch based in Singapore. According to the company structure, the branch is not a legally distinct entity and the Stockholm headquarter determines the purpose and means of the data processing carried out on its behalf by its branch based in Singapore.
In this case, while the processing activities are taking place in Singapore, that processing is carried out in the context of the activities of the pharmaceutical company in Stockholm i.e. of a data controller established in the Union. The provisions of the GDPR therefore apply to such processing, as per Article 3(1).
Example 9: A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist's personal data via the app by the U.S. company is not subject to the GDPR.Ausgewählte Beispiele zur Verhaltensüberwachung:
Example 12: A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.
In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.
As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union.
Example 13: A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents.
In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned.
Example 15: A marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.Michal Cichocki
The analysis of a customers’ movements within the centre through Wi-Fi tracking will amount to the monitoring of individuals’ behaviour. In this case, the data subjects’ behaviour takes place in the Union since the shopping centre is located in France. The marketing company, as a data controller, is therefore subject to the GDPR in respect of the processing of this data for this purpose as per its Article 3(2)(b). In accordance with Article 27, the data controller will have to designate a representative in the Union.
Example 16: An app developer established in Canada with no establishment in the Union monitors the behaviour of data subject in the Union and is therefore subject to the GDPR, as per Article 3(2)b. The developer uses a processor established in the US for the app optimisation and maintenance purposes.