November 30, 2018

EU Regulators Publish Guidelines On GDPR Territorial Scope

On November 16, 2018, the European Data Protection Board (Board) (comprised of EU member state data protection authorities), published draft guidelines on the territorial scope of the GDPR (Guidelines). The Guidelines provide interpretive comments with illustrative use cases and are open for public consultation until January 18, 2019. Following public consultation, the Board is expected to issue final guidelines. The GDPR’s extraterritorial reach has been a thorny grey area for non-established organizations, and critical questions remain unanswered. Comments may be submitted to the Board at We highlight below the provisions examined by the Board and identify those that require clarification.

1. Establishment Criterion (Article 3(1))

The GDPR applies to businesses “established” (e.g., incorporated) in the EU. The GDPR classifies businesses as controllers or processors, and compliance obligations flow from the relevant classification. The Board clarified that:

  • A non-EU customer (controller) that engages an EU service provider (processor) is not subject to the GDPR solely on the basis of their commercial relationship. For example, the use by a U.S. hotel of an EU provider of backend sales, reservations and distribution solutions does not make the hotel “established” subject to the GDPR’s suite of controller obligations.
  • A non-EU processor engaged by an EU controller is indirectly subject to certain GDPR obligations imposed by the controller through a Data Processing Agreement (DPA). For example, a U.S. company with no connection to the EU, except that it provides backend sales, reservations and distribution solutions to an EU hotel, will be made subject to the certain GDPR obligations through the contractual terms of a DPA (which the hotel is required to impose on service providers that process its personal data). These terms include adequately protecting the data and obtaining prior approval to use subcontractors for data processing.

2. Targeting Criterion (Article 3(2) Offering of goods or services; Monitoring Behavior)

The GDPR applies to non-EU businesses that (i) offer goods or services to EU individuals (“data subjects”); or (ii) monitor their behavior. The Board clarified the following:

  • The location of data subjects in the EU must be assessed at the moment a business offers goods or services or monitors the behavior of people in the EU
  • The GDPR applies to data subjects in the EU, irrespective of citizenship. Conversely, an EU individual residing in the U.S. is not protected by the GDPR
  • The “monitoring” behavior requires a specific intent to collect and subsequently reuse personal data about an individual’s behavior. The Board broadly interpreted “monitoring” to encompass such activities as behavioral advertising; geo-localization tracking; online tracking through cookies or other tracking tools; behavioral studies based on individual profiles; and monitoring or regular reporting on activities through wearables and smart devices.

3. EU-Based Representative (Article 27)

  • The Board clarified that the EU-based representative for non-established controllers or processors cannot be fulfilled by a Data Protection Officer.
  • Importantly, the Board reiterated that the EU-based representative is liable for the non-compliance of its controller or processor customers. This could make it more challenging for non-established entities to engage an EU-based representative, as would-be providers could be deterred from assuming the risk, or contractually shift risk to customers through onerous indemnification and other terms.

4. Remaining Need for Clarification

The Board did not address critical issues for non-EU entities, including:

  • The extent to which non-EU processors are subject to the GDPR under the “targeting” prong. By its very nature, a processor processes personal data on behalf of and at the direction of a controller; it does not itself “offer” goods/services directly to data subjects (e.g., their controllers’ employees or end users), or “monitor” their behavior
  • Is a non-EU controller that targets and processes personal data solely in a “B-2-B” context caught by the GDPR? (e.g., employee contact data collected for invoicing or account management; a U.S.-based manufacturer selling products to an EU-based reseller)
  • With respect to non-EU processors, is there a conflict between the provision that deems a processor is a controller when the processor violates the GDPR by exceeding the controller’s instructions on the one hand, and, on the other hand, the triggers for extraterritorial application of the GDPR?

We are hopeful that the Board will shed some light on these important issues. The public consultation process is an important opportunity for affected businesses to educate the Board and result in an outcome that is better aligned with the digital ecosystem “on the ground.” Please let us know if you wish to discuss the Guidelines, or any issues you intend to include in your submission to the Board or through Goodwin.


Goodwin’s Data, Privacy and Cybersecurity practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial industry, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.