- EDPB publishes finalised guidelines on territorial scope
- What is the background to the new Guidelines?
- What are the key updates introduced by the final Guidelines?
- When will an organisation be ‘established’ in the EEA under the Guidelines?
- What is the threshold for ‘establishment’?
- How do you determine whether personal data is processed in the context of the establishment?
- What do ‘offering’, ‘targeting’ and ‘monitoring’ mean?
- Does offering require intention?
- What are signs of ‘targeting’?
- What is ‘monitoring’?
- What if a processor is not established in the EEA?
- How does the GDPR interact with laws outside the EEA?
- How can EEA-based processors comply with GDPR data transfer restrictions if the controller is not subject to these restrictions?
- Is there a requirement to have a transfer mechanism in place between a non-EEA controller and EEA-processor if the processor transfers data back to the controller?
- Is the GDPR restricted only to the processing of personal data of individuals who are in the EEA?
- What do the Guidelines say about representatives?
- Can EEA representatives also be processors of controllers?
- What liability is a representative exposed to?
- How has the role of an EEA representative been extended by the EDPB?
Information Law Analysis: On 15 November 2019, the European Data Protection Board (EDPB) published its finalised Guidelines on the Territorial Scope (Guidelines) of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). The revisions to the Guidelines followed a period of open public consultation which ran until 18 January 2019. James Fenelon, Ruth Boardman, Gabriel Voisin and Ariane Mole of Bird & Bird LLP, explain the latest developments.
Sign in or take a trial to read the full analysis.
To continue reading this news article, as well as thousands of others like it, sign in to LexisPSL or register for a free trial