What is an establishment under the GDPR?
Any real and effective activity through stable arrangements by a controller or processor within the EU.
What does the Weltimmo case say about establishment?
Even minimal activity through stable arrangements in a member state can constitute establishment.
What factors suggest an establishment exists?
- Target audience
- Presence of representatives
- Bank accounts
- Physical address for mail collection
What does GDPR territorial scope cover?
Organizations established in the EU, or those selling goods/services to or monitoring individuals in the EU.
What is the focus of EDPB Guidelines 3/2018?
Whether the specific processing activity falls within GDPR’s territorial scope.
What is the main test concerning territorial scope under Article 3(1) of the GDPR?
Whether processing is in the context of the activities of an establishment in the Union.
What are the 2 parts of the Article 3(1) test?
- Is there an EU establishment involved?
- Is the data processing carried out in the context of that establishment’s activities?
Does Article 3(1) depend on the location of processing?
No
It applies regardless of whether the processing occurs in the Union.
Does the GDPR apply based on the nationality or residence of the data subject?
No
Per Recital 14, GDPR applies regardless of nationality or residence.
Is payment required for GDPR to apply under Article 3(2)?
No
What is targeting according to EDPB?
Intentional direction of goods, services, or messages to individuals based on specific criteria
What are some EDPB targeting factors?
- Use of EU domains
- Marketing to EU
- Translation for EU
- Use of EU addresses
What is monitoring under GDPR?
The observation, tracking, or profiling of individuals’ behavior.
Examples: behavioral advertising, use of cookies, device fingerprinting, personalized recommendations
What does Article 3(2)(b) require for monitoring to trigger GDPR?
- Behavior must take place in the EU
- Involve data subjects in the EU
What are examples of offline monitoring?
- In-person health assessments
- Surveys
- Interviews
How does the UK approach data protection post-Brexit?
The UK enforces legislation identical to the GDPR for non-UK organizations.
What is material scope under GDPR?
The types of data processing activities to which the GDPR applies.
What types of processing fall within the GDPR’s material scope?
Processing of personal data, including both automated and manual processing.
What activities fall outside the GDPR’s scope?
Activities outside Union law, including:
- Public security
- Defense
- National security
- EU foreign and security policy
What are 3 exemptions to GDPR’s material scope?
- Household use
- Criminal law enforcement
- Processing by EU institutions
What is the household exemption under the GDPR?
Processing by a natural person in the course of purely personal or household activities.
What activities are covered by the crime-related exemption?
Processing for:
- Prevention
- Detection
- Prosecution of crimes
- Execution of criminal penalties
Are EU institutions covered by the GDPR?
No
What regulation applies to data processing by EU institutions?
Regulation 2018/1725
-
Early Data Protection Laws74
-
EU Institutions & Other Data Protection Laws94
-
Personal Data & Controller-Processor Relationship55
-
Risk Management & Data Subject Rights106
-
Data Processing Principles & Special Categories of Data69
-
Fair Processing Information & Third Country Data Transfers53
-
Territorial and Material Scope & Accountability56
-
Self-regulation & the European Data Protection Board63
-
Employee Data34
-
Surveillance and Direct Marketing64
-
Important Technology Concepts42
