On November 12, 2019, The European Data Protection Board (EDPB) adopted a final version of Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (GDPR) (the Guidelines). The Guidelines, initially adopted on November 16, 2019, were finalized after a period of open public consultation which ran until January 18, 2019, as previously reported by the E-TIPS® Newsletter here.
The Guidelines aim to provide a common interpretation of the GDPR when assessing whether a particular processing activity by a controller or a processor falls within the territorial scope of the GDPR. The GDPR’s territorial scope is based on two main criteria: the establishment criterion and the targeting criterion. As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s scope. The Guidelines provide further clarification on the application of the establishment criterion and the targeting criterion by providing examples where the data controller or processor is established outside the European Union.
For more information about the Guidelines and how they may apply to your business, please contact us.
Summary By: Jae S. Morris