The European Data Protection Board (EDPB) has issued for public comment its Guidelines on the territorial scope of the European Union General Data Protection Regulation (GDPR). One of the purposes of GDPR was to expand the application of EU data protection law, but the provisions setting out GDPR’s scope are not consistently clear.
Approximately one year in the making, the Guidelines confirm some of the established interpretations of GDPR’s application to entities in the EU even when they process personal data of persons outside the EU and clarify GDPR’s scope particularly as to the meaning of “persons in the Union.” The Guidelines also discuss the conditions when a non-EU entity subject to GDPR must designate a representative in the EU.
Still, the Guidelines leave unanswered important questions, including whether non-EU entities offering B2B services or goods to EU companies fall under GDPR.
In November 2017, the then-Article 29 Working Party group of EU data protection supervisory authorities – now the EDPB – was tasked with providing guidelines on the interpretation of GDPR Art. 3, which sets out the scope of application of GDPR to entities established in the EU (Art. 3(1)) and entities established outside the EU (Art. 3(2)).
Click here to read more.