This makes the European Union's approach of ensuring a uniform level of data protection by means of the General Data Protection Regulation (GDPR) all the more valuable. The regulation replaces the Data Protection Directive (Directive 95/46/EC), which has been in effect since 1995 and which was also intended to achieve a uniform level, but which still had to be implemented by the individual member states in form of national laws. In contrast to such a directive, a regulation is directly applicable law and - in case of conflicts - usually takes precedence over national legislation. This means that since the GDPR came into force, the same data protection obligations apply to all data processors within the Union.
Does GDPR then only apply to companies with their registered office within the Union? Which companies need to comply with the requirements of the regulation?
I. Territorial scope of the regulation
The scope of application of the GDPR is characterised by two principles: the establishment principle (Art. 3(1)) and lex loci solutionis (Art. 3(2)).
- Establishment principle
According to the principle of establishment set out in Art. 3(1) GDPR, the GDPR applies to companies that have a branch within the EU as a controller or processor - regardless of whether the data processing takes place within or outside the Union. Where companies have branches in several member states, the principal place of business is deemed to be the registered office of the head office.
- Lex loci solutionis
lex loci solutionis, even companies that maintain no branch within the EU may nevertheless be bound by the requirements of the regulation when processing personal data. A prerequisite for the applicability of the GDPR is that companies operate on the European market and process personal data of data subjects residing in the Union.Here, the GDPR distinguishes between two possible facts: Art. 3(2)(a) provides that the GDPR applies when the company is active on the European market and "offer goods or services". This includes classic online traders, but also cloud providers, social media platforms or streaming services are covered by lit. a).
- Furthermore, Art. 3(2)(b) states that the GDPR is relevant when "the conduct of data subjects [...] is monitored". Such 'behaviour monitoring' includes all tracking or profiling activities for market research purposes, such as behavioural advertising or online tracking through cookies.
- Accordingly, companies outside the territorial scope and would therefore not be covered by the regulation may also fall within the scope of the GDPR.
- This clearly shows that the EU legislator had the broadest possible scope of application in mind - the protection of personal data is as such to be comprehensively guaranteed. The GDPR then also applies irrespective of the place of the branch, insofar as data processing takes place within the EU or data of EU citizens is processed outside the EU. This targeted expansion of the scope of application is intended in particular to minimise opportunities for companies to circumvent the law. In addition, a uniform protection of all personal data processed in the EU as well as all personal data of EU citizens is to be ensured equally.
II. Consequences for practical implementation
But what does this mean in practice? Is there also an obligation to appoint a data protection officer outside the EU? What about the representative rule in Art. 27 GDPR? What is the difference between the role of the data protection officer and that of the representative? Which supervisory authority is responsible in the event of a privacy incident?
- Data protection officer
The obligation of companies to appoint a data protection officer (DPO for short) is based on the requirements of Art. 37 GDPR. In principle, a DPO must be appointed if the core activity is the processing of personal data. This is to be assumed when the business purpose of the enterprise is impossible to achieve without data processing, i.e. the processing is essential for the activity of the respective enterprise.This means that - as a result of the lex loci solutionis described above - non-EU companies may also be obliged to appoint a DPO to monitor compliance with the requirements of the GDPR. Although the practical significance is likely to be minor, as most international companies operate a branch in one of the EU member states and are thus subject to the GDPR per se (see above principle of establishment), this fact is nevertheless worth highlighting. The applicability of the GDPR extending to non-EU entities has brought the European legislator closer to the goal of achieving almost global protection of personal data - at least for those with an EU connection.
- Union representativeIrrespective of the obligation to appoint a DPO, companies without a Union branch which process personal data are obliged under Art. 27 GDPR to appoint a representative based within the EU - the so-called Union representative. This requirement is therefore directly linked to lex loci solutionis. The Union representative is mainly to act as an on-site contact for the supervisory authority and is therefore to be based in one of the member states covered by the processing.The Union representative serves as a "communicative link" between the data processing company and the supervisory authority; companies should not be able to avoid the requirements of the GDPR due to physical distance.
First of all, note should be taken that, compared to the Union representative, it is not mandatory for the DPO's registered office to be within the EU. The fact that this makes perfect sense results from the DPO's tasks: he or she is responsible for the education/training of employees as well as compliance with the data protection requirements of the GDPR. Not only legal barriers, but also language barriers in particular could impede performing this task should the DPO be based outside the EU. In addition, there is to be an assurance the DPO has access to the company without unreasonable impediments. This is usually not guaranteed when a long journey is necessary.Companies without a branch within the EU need to weigh up the following: Should the DPO be located at or near the place of central data processing, the aforementioned difficulties are avoidable. Having the DPO based within the EU has the advantage of being "closer" to the supervisory authority.
- The DPO must also have the necessary expertise to perform their duties pursuant to Art. 37(5) GDPR. In addition to the relevant qualifications in data protection law and its practical application, the DPO also requires sector-specific technical knowledge in order to be able to properly fulfil the tasks specified in Art. 39 GDPR. Furthermore, companies have the choice whether to appoint an internal or external data protection officer.
- Unlike the DPO, there are no specific requirements to be satisfied by the Union representative - any natural or legal person is eligible for appointment as a Union representative. Nevertheless, it is advisable to observe the data protection qualifications when selecting the representative. It is therefore advisable to commission companies specialising in data protection consulting as the Union representative.
- Furthermore, unlike the Union representative, the DPO is independent, Art. 38(3) GDPR. Unlike the Union representative, the DPO is to ensure the protection of data subjects' rights and the overall compliance of data processing with the GDPR. The Union representative is thereby probably to be qualified as a representative in the sense of the Civil Code, §§ 164 et seq. BGB and acts for and on behalf of the company.
- This makes it clear that exercising both positions in personal union is not advisable. Although such an approach is not prohibited from a legal point of view, filling both positions with the same person may quickly lead to conflicts of interest. It is therefore advisable to assign the roles to different people. This is also advised by the European Data Protection Board in reference to the need for independence of the DPO (available at edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf, p. 21).
- Competent supervisory authority
Any data protection incident is to be reported to the respective competent supervisory authority. The question that arises here for international companies with several branches within the EU and associated cross-border data processing is: Which is the competent supervisory authority? Which authority do companies need to contact?This is where another important principle of the GDPR takes effect: the one-stop shop principle, enshrined in Art. 56(1). It states that in the case of cross-border processing, the authority at the registered office of the main place of business has the lead jurisdiction. This provision regulates the competence of the authorities in the case of data processing by a company in more than one member state or should the data processing company have branches in several member states or, in the case of processing in only one member state, the processing is likely to have a significant impact on data subjects in more than one member state. Pursuant to Art. 4(16)(a) GDPR, the point of reference is the registered office of the head office, i.e. the branch office that is the actual focus of the company's business - a formal registered office, on the other hand, is not relevant in the context of Art. 56 GDPR. The only exception is when it is not the head office but another office that decides on the purpose and means of data processing.
- Such an exception therefore does not apply to processors per se - the purpose and means can only be decided by the controller. In the case of contract processing companies, the competent authority is also determined by the focus of the processing.
- Nevertheless, it should be noted that the authorities at the other branches also remain contact persons for the data subjects. Even in cases with only a local connection, the local supervisory authority is still responsible. After all, the one-stop-shop scheme is mainly intended to benefit the respective companies: Having a fixed contact person allows the company to adapt to the circumstances in terms of language and location of the DPO - a business-friendly and practical arrangement, but also beneficial for the data subjects. After all, clear rules ensure effective enforcement of the rights of the data subjects.
- Waiver through choice of law?
Since the GDPR is a body of public law, the parties cannot reach an agreement which circumvents the GDPR with regard to its territorial scope as per the Rome I Regulation. The choice of law by the parties therefore does not apply.
The GDPR has hardly any limits. If data processing is linked to the EU, companies are generally required to ensure compliance with a level of protection that complies with the GDPR. It is not the location of the company that matters, but rather the Union relevance of the processing activity. Accordingly, non-EU companies need to carefully evaluate whether there is an obligation to appoint a DPO as well as a Union representative. In this context, it is recommended to appoint different persons to the roles in order to avoid possible conflicts of interest.