The #EDPB published the *long awaited* draft #GDPR Territorial Scope #Guidelines today, which also have a section dedicated to the “legal representative” issue. Some takeaways below ⬇️ Thread time 1/14 edpb.europa.eu/sites/edpb/fil…
An “establishment” of a non-EU entity in the EU doesn't require a registered branch/subsidiary. Any stable arrangements will be taken into account 4 data protection law purposes.But merely the fact that the company’s website is accessible from the EU is not an "establishment"2/14
A processor in the EU is not deemed to be an “establishment” of the non-EU controller in the EU. The existence of the controller-processor relationship does not trigger the application of the #GDPR to the non-EU controller 3/14
So, if a processor is established in the Union, it will be required to comply with the obligations *imposed on processors* by the #GDPR and its non-EU client company (“controller”) is not subject to the GDPR 4/14
If a controller is in the Union and it hires a non-EU processor, the processor will only be indirectly subject to the #GDPR, through its contractual obligations, since Art 28 imposes an obligation on controllers to enter contracts with processors 5/14
Where there is no establishment of the controller in the Union, the GDPR applies if it provides services, goods or monitors behavior of persons in the Union. All the following remarks are only relevant for this situation 6/14
Those without an establishment in the Union cannot benefit from the #OneStopShop mechanism, meaning for example that they cannot rely on a Lead Authority 7/14
By persons in the Union EDPB understands *anyone* physically in the Union at the moment where the trigger activity takes place (i.e. offering goods), *irrespective of citizenship or residency* 8/14
Important! Simply processing personal data of persons in the Union by a non-EU entity does not trigger the application of the GDPR – an element of #targeting must be present 9/14
The EDPB provides a non-exhaustive list of criteria to assess “targeting”, such as paying a search engine for an internet referencing service targeting EU consumers or having a dedicated website domain like .eu. 10/14
In general, merely accessibility of the website from the EU and publishing an e-mail address or a telephone number without an international code do not provide sufficient evidence for “targeting” goods & services 11/14
For the “monitoring of behavior” trigger, the EDPB clarifies there is no “targeting” criterion. However, not all online or analysis of personal data will automatically mean “monitoring”. Any subsequent behavioral analysis or profiling techniques will be taken into account 12/14
As for the “legal representative” of non-EU controllers that fall under the GDPR, the EDPB clarifies that the role of a #DPO *is not compatible* with the role of legal representative in the Union & that it’s essential for representatives to speak local language 13/14
It also confirms that enforcement actions can be done against representatives “in the same way as against controllers and processors”, including the possibility to impose fines and “to hold representatives liable”. The guidelines do not mention liable *for what*. THE END 🤷‍♀️ 14/14
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gabriela Zanfir-Fortuna
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!