Artikkel 3
Territorial scope

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 3 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 3 keyboard_arrow_up

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(25) Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Vis direktivets fortaletekst relatert til art. 3 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 3 keyboard_arrow_up

(18) Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;

(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;

(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

(21) Whereas this Directive is without prejudice to the rules of territoriality applicable in criminal matters;

GDPR

The first territorial application criterion is maintained in article 3 of the Regulation: as such the Regulation is applicable to the processing performed in the context of the activities of an establishment of the controller in the territory of the Union but it is also - and this is new - that of the processor. This clarification will prevent any discussion on the law applicable to it. The final version clarifies that this criterion is assessed, regardless of whether the processing takes place in the Union or not.

The controller is defined in Article 4, 7) of the Regulation as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by the law of the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”. Of course here, the criterion aims at determining the application of the Regulation itself and in addition to a national law of a Member State as in the Directive.

On the other hand by the definition of "main establishment" (see Art. 4, 16), the Regulation seeks a solution to locate in the Union the establishment to consider, whether it's a controller or a processor. The usefulness of these definitions is in identifying the competent supervising authority, that's why we refer to the commentary to Article 56.

The Regulation introduces also a new rule of extraterritorial application of European law to prevent it from being bypassed by a controller or a processor whose activities or establishment would be located outside the territory of the EU.

So, the Regulation would be applicable from the moment where:

- the processing activities are related to the supply of goods or services to natural persons on the territory of the Union, whether a payment of the data subject is required or not. This clarification means that the controller may not object to the free use of the goods or services to escape from the application of the Regulation.

To determine if this criterion is met, it should be considered whether the controller is planning to do business with persons residing in the Union. Recital 23 also specifies that the simple accessibility of the Internet site of the controller or of an intermediary in the Union is not sufficient to establish the intention of the controller to provide goods or services to persons located in the territory of the Union. The following factors should be therefore taken into account: the use of a language or a currency usually used in the Union; the possibility to order goods and services in that other language; the mention of clients or users residing in the Union (see recital 20).

-the processing activities are related to the observation of human behaviour, as long as these behaviours are involved within the Union. According to recital 24, in order to determine if a processing activity may be regarded as "observation" of the behaviour of the data subjects, it is necessary to establish whether these people are traced on the Internet using any data processing techniques to analyze the profile of an individual, in order to take any decisions with respect to them or analyze or predict his or her preferences, his or her behaviour and mindset.

Finally, the Regulation maintains its extraterritorial application in cases where a rule of public international law of the place of establishment of the controller lead to the application of the national law of a Member State. As specified in recital 25, this hypothesis includes the diplomatic missions and the consular posts of a Member State.

Direktivet

The EU legislature had planned a particularly broad territorial scope in order to ensure that no person will be excluded from the protection guaranteed by the Regulation and that this protection will not be bypassed (see G29, comment 08/2010 of 16 December 2010 on the applicable law).

The main criterion for application of European data protection law depended on the location of the controller in the territory of the Union in the context of the activities of an establishment of the controller.  This criterion implies the demonstration of two elements:

  • on the one hand, the controller must have an establishment in the territory of a Member State which involves exercising effective and real activity through a stable installation, regardless of the legal form of the business and regardless of the legal form of establishment (e.g., a branch or a subsidiary with legal personality). The Court of Justice of the Union calls for a flexible design of the concept of establishment which rules out any formalistic approach whereby an enterprise would be established in the place where it is registered only (see CJEU, 1 October 2015, C-230/14, p. 29);

 

  • On the other hand, the processing must be carried out as part of the activities of this establishment in the territory of a Member State. The Court of justice of the Union specifies that in view of the objective of the Directive to ensure effective protection of the freedoms and rights of individuals, the expression "as part of the activities of an establishment' must not be given a restrictive interpretation. According to the Court of justice of the Union, the personal data processing should not be effected "by" the concerned establishment itself, but only "within its activities" (CJEU, judgment of 13 May 2014, Google Spain and Google, C-131/12, point 53).

The Directive also contained two criteria of extraterritorial application of European law when the controller had no establishment in the territory of the Union. In the absence of establishment in the EU, the Directive remained applicable:

- When the controller resorted, for processing purposes, to means  that were located on the territory of the Union, unless these means were used only for purposes of transit through the territory of the Union. The notion of means of processing unfortunately was not subject to any legal definition, it gave rise to extensive jurisprudential and doctrinal debates. For example, the Group Article 29 believes that cookies or javascript barriers are processing means; according to CNIL, the use of  Google cars  on French territory constitutes processing means (CNIL, Deliberation No. 2011-035 of 17 March 2011)). In this case, the controller must designate a representative established on the territory of that Member State.

-When the national law of the controller was applied, under the international public law. This hypothesis includes in particular the embassies, which must comply with European law, despite the absence of an establishment in the Union.

Utfordringer

The extraterritorial application of the Regulation was inevitable in view of the evolution of technology and the omnipotence of some established companies outside the Union, offering goods and services on the Internet and therefore, if appropriate, to a community present on the European territory, the data of which are collected on the occasion of the offer and can then be processed outside the EU. The Court of Justice had already admitted the principle while having to quarter the criterion of connection to the permanent establishment.

This extraterritorial application leads to the difficult issue of the implementation of the decisions that would be obtained against a controller located outside the Union, perhaps in addition to the closure of access to its site when technically possible.

However, the Regulation does not give a criterion of connection of the multiple national laws to be taken under the Regulation (for example to implement an exception to one or the other principle of protection). Should we revert to the old criterion or each Member State will be free to apply its own international law to determine it, which may only pose difficulties?

EU-domstolens praksis

C- 210/16 (5 june 2018)

1. Articles 4 and 28 of Directive 95/46 must be interpreted as meaning that, where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State.

2 . Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 must be interpreted as meaning that, where the supervisory authority of a Member State intends to exercise with respect to an entity established in the territory of that Member State the powers of intervention referred to in Article 28(3) of that directive, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Opinion of advocate general

Judgment of the court

Forordning
1e 2e

Art. 3

1.   This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2.   This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.   This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

1. forslag close

Art. 3

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services to such data subjects in the Union; or

(b) the monitoring of their behaviour.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

 

2. forslag close

Art. 3

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

 

Direktiv close

Art. 4

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

Art. 3

Geografisk virkeområde

1. Denne forordning får anvendelse på behandling av personopplysninger som utføres i forbindelse med aktivitetene ved virksomheten til en behandlingsansvarlig eller en databehandler i Unionen, uavhengig av om behandlingen finner sted i Unionen eller ikke.

2. Denne forordning får anvendelse på behandling av personopplysninger om registrerte som befinner seg i Unionen, og som utføres av en behandlingsansvarlig eller databehandler som ikke er etablert i Unionen, dersom behandlingen er knyttet til

a) tilbud av varer eller tjenester til slike registrerte i Unionen, uavhengig av om det kreves betaling fra den registrerte eller ikke, eller

b) monitorering av deres atferd, i den grad deres atferd finner sted i Unionen.

3. Denne forordning får anvendelse på behandling av personopplysninger som utføres av en behandlingsansvarlig som ikke er etablert i Unionen, men på et sted der en medlemsstats nasjonale rett får anvendelse i henhold til folkeretten.

Gamle loven close

§ 4 Geografisk virkeområde

Loven gjelder for behandlingsansvarlige som er etablert i Norge. Kongen kan i forskrift bestemme at loven helt eller delvis skal gjelde for Svalbard og Jan Mayen, og fastsette særlige regler om behandling av personopplysninger for disse områdene.

Loven gjelder også for behandlingsansvarlige som er etablert i stater utenfor EØS-området dersom den behandlingsansvarlige benytter hjelpemidler i Norge. Dette gjelder likevel ikke dersom hjelpemidlene bare brukes til å overføre personopplysninger via Norge.

Behandlingsansvarlige som nevnt i annet ledd skal ha en representant som er etablert i Norge. Bestemmelsene som gjelder for den behandlingsansvarlige gjelder også for representanten.

close