Dear Sir or Madam,
First of all we would like to express our sincere thanks for the opportunity to provide comments on the proposed “Guidelines 3/2018 on the territorial scope of the GDPR” (hereinafter “the Guidelines”). We are really grateful to have been given the opportunity to review the Guidelines. However, we would like to respectfully submit some amendments and refinements to the proposals on the Guidelines in these areas:
- We are of the opinion that in regard to the territorial scope of the GDPR, the Article 3 GDPR should be reasonably interpreted to ensure that the rights of data subjects located in the Union are sufficiently protected on the one hand and, on the other hand, that controllers or processors are not unnecessarily subject to the GDPR requirements when their relationship with data subjects is merely occasional* or indirect. Indirect application of the GDPR to cases which cannot be fairly justified could lead to reciprocal measures from other states, which could significantly disrupt EU-based controllers’ and processors’ opportunity to provide their services outside the EU. We greatly appreciate that some of the opinions expressed in the Guidelines follow the same logic.
- We recommend reconsidering the applicability of Chapter V to the processing of personal data of persons located outside the Union by an EU-based processor (page 11 of the Guidelines). As the EU-based processor may transfer the processed data to a third party only on documented instructions from the controller (Art. 28 (3) (a) GDPR), we believe that the controller’s instructions should prevail (with regard to processing of personal data of data subjects from non-EU countries). That being said, in some cases, the controller can be obliged to give such an instruction, (e.g. on the basis of a foreign legal requirement which is binding to the controller. Consequently, unconditional enforcement of the Chapter V of the GDPR can lead to considerable disadvantaging of EU-based processors due to the fact that a non-EU controller engaging the services of an EU-based processor might lose some of its rights and control over the personal data processed by this processor (which may reflect the obligations arising from the foreign law applicable to the controller). As a result, non-EU based controllers might be discouraged from using the services provided by the EU-based processors.
- We suggest that the interpretation of the term “establishment” be also focused on the applicability of the GDPR to undertakings (or their parts) without legal personality (such as a branch office of a foreign legal entity), i.e. a special kind of an establishment which does not have legal personality, but the undertaking has decided to separate this establishment as a specific part of its organizational structure. We understand that such part of the undertaking will be deemed an establishment within the meaning of the GDPR to constitute the applicability of the GDPR under Article 3 (1) GDPR (while the GDPR requirements must be met by and any fines will be imposed to the particular undertaking which has legal personality). However, it is not evident whether this separated branch office must always be considered only as a part of the specific controller (due to the lack of legal personality) or whether it could be actually considered as an autonomous controller (sui generis) for the purpose of some of the GDPR obligations (such as for the determination of the competent authority or the evaluation of a breach of the GDPR attributable to the legal entity and committed in another Member State which would consequently establish jurisdiction with respect to this specific part of the undertaking having no other connection to the main undertaking/controller established outside of this Member State). We believe that this interpretation could be in line with tax laws of Member States, where such separated branch offices are usually deemed (from the tax point of view) self-standing entities (subjects) that may be subject to taxes in that Member State. We are of the opinion that providing guidance in regard to this question would help resolve, among other issues, jurisdiction of national supervisory authorities (in case of EU-based undertakings having branch offices in other Member States) as well as the territorial scope of the GDPR in general, in particular in administrative proceedings, and the legal standing of the undertakings subject to such a proceeding (for non-EU based undertakings).
…Read the whole text
4. We are of the opinion that the last sentence of Art. 28 (3) GDPR (“With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.”) should be interpreted (see pages 11 and 12 of the draft guidelines) in the way that this obligation is limited only to the instructions which infringe the GDPR in the extent applicable to the particular controller or processor.
5. We recommend that the Guidelines further elaborate on the question whether, in accordance with Art 3 (2), the GDPR will be applicable when it is evident that the concerned processing is also subject to foreign legal requirements which are binding to the particular controller or processor. That can occur particularly when (i) the foreign law requirements are not compatible with the GDPR and when (ii) the data subject’s residence on the territory of the Union is evidently transitional. In such cases, a conflict of obligations of a controller/processor imposed by different legal orders can arise and it may be difficult to resolve. If some guidance in the matter is provided, it would surely simplify the legal situation of concerned controllers and processors.
6. In respect of the use case No. 9, we recommend adding an evaluation of circumstances when the particular application focuses on global market, i.e. cannot be considered as focusing solely on the U.S. market. Such situations can presumably commonly arise. In our opinion, even in such case, the GDPR requirements would not be applicable to the US citizen.
7. In regard to the use case No. 14, we recommend adding an evaluation of the (presumably more and more common) situation when the relevant university does not carry out the advertising in German and Austrian universities on its own and purposefully, but instead uses e.g. an advertising system similar to AdWords by Google, without specifying the particular countries where the advertising should be carried out (given the language criteria, the advertising system can evaluate that persons residing in Austria and Germany should be primarily targeted). It will become more and more difficult to determine whether global advertising via the Internet network targets the territory of the particular state or not and the placement of advertising will be increasingly determined by the operator of the system instead of the advertising entity.
8. As for the interpretation of Art. 27 (4) of the GDPR (p. 20), we recommend stating whether an authorization of a representative to act in the matters of personal data protection represents a form of statutory authorization arising ex lege from the fact that the particular person was appointed as a representative according to Art. 27 GDPR, or whether the authorization must be based on a (specific) power-of-attorney granted to the representative by a controller/processor, i.e. the representation is of a contractual nature.
9. We also recommend clarifying how the obligation of the ability to act in the language of the concerned regulator or data subject (para. 4 on page 23) should be fulfilled. It clearly follows from the use case No. 19 and the wording of Art. 27 GDPR that the controller and the processor are obliged to appoint only one representative in the particular Member State where they actually carry out their business activities (within the meaning of Art. 3(2) GDPR). We therefore propose that it should be clarified how the requirement of the ability to communicate with regulators and data subjects in the national language should be met and how it correlates with the freedom of establishment and movement within the Union.
10. With respect to the representative’s liability, we believe that according to Art. 27 (4) GDPR representatives cannot be subject to all sanctions under the GDPR, as is stated in the last paragraph on page 23 (even though that such conclusion is hinted at in the last sentence of Recital 80). Given the fact that this case concerns the exercise of state power, it is, in our opinion, necessary to provide clear and unequivocal rules in the wording of the legal regulation. This is not, however, fulfilled in the case in question. On the contrary, the fact that the representative is expressly mentioned only in Art. 58 (1) (a) GDPR indicates that the option to impose other sanctions on the representative is limited to the cases when the representative is directly in breach of a legal obligation.
We would like to once again emphasize that we are really grateful for the opportunity to provide the above mentioned comments on the Guidelines.
JUDr. Vladan Rámiš, Ph.D.
Chairman of the Committee
Ing. Václav Mach
Vice Chairman of the Committee
*Although occasional processing is also subject to the GDPR according to Art. 3 (2) as set forth in Article 27 (2) (a) GDPR.