Many businesses based outside the EU/EEA may be subject to the General Data Protection Regulation (GDPR) – even if just in relation to some of the data processing activities they carry out - due to the extra-territorial effect of the Regulation. However, the test of jurisdictional scope is not straightforward and businesses could find it difficult to decipher if the GDPR applies to them and, if so, the extent to which it applies. In particular, multinational entities may not be certain which entities within their group are subject to the GDPR and/or what data processing activities are within or outside its scope.
In short, GDPR applies to data processing activities in the following two situations:
The same territorial scope applies for both processors and controllers. Therefore, data processors who handle the data of EU data subjects within the above scope will (a) have direct obligations as processors under the GDPR; (b) be bound by mandatory data processing provisions within their contract with the controller (or processor, if they are a sub-processor) as required under Article 28, GDPR; and (c) if located outside the EU/EEA, these processors and sub-processors may (depending on whether or not they are located in a “white-listed” jurisdiction for EU purposes) also have to comply with specific further safeguards such as the contractual provisions within the EU approved standard contractual clauses or (for the US) requirements of the Privacy Shield certification regime, if relevant.
The European Data Protection Board (EDPB) has published guidelines on the territorial scope of the GDPR and adopted a final version of the guidelines in November 2019 following public consultation. Our flowchart attempts to distil this guidance into an easy-to-apply format. For multinational groups, the flowchart ought to be considered for each separate entity being assessed.