Draft Guidelines on the Territorial Scope of the GDPR

Published on

January 31, 2019

Jan 2019 Charity & NFP Law Update

Between November 2018 and January 2019, the European Data Protection Board, an independent European body established by the EU’s General Data Protection Regulation (“GDPR”), was seeking comment on the draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (the “EDPB Guidelines”). The Guidelines provide some clarification for controllers and processors, including those not established in the EU, as defined under the GDPR. For general information on the GDPR, see Charity & NFP Law Bulletin No. 419.

The EDPB Guidelines confirm that, even if not established in the EU, controllers and processors, which may include Canadian charities and not-for-profits, may be caught by Article 3(2)(a) or (b) of the GDPR if they process personal data of EU residents to offer them goods or services or to monitor their behaviour within the EU. In this regard, while Article 3(2) of the GDPR applies to the personal data of data subjects who are in the EU, regardless of their citizenship, residence or other legal status, there must be an element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behaviour, in order for the GDPR to apply.

The EDPB Guidelines set out a number of factors that may, alone or in combination with one another, indicate the controller’s or processor’s intention to offer goods or services to a data subject in the EU, including: i) the EU or at least one Member State is mentioned by name; ii) marketing and advertisement campaigns have been directed at an EU audience; iii) EU addresses or telephone numbers are mentioned; iv) an EU domain name such as “.eu” is used; v) there are travel instructions from one or more EU Member States; vi) EU customers are mentioned; vii) EU languages or currencies are used; or viii) the delivery of goods in EU Member States is offered. If one or any combination of these factors is present, organizations in Canada, including charities and not-for-profits, may be subject to the GDPR.

The second type of activity triggering the application of Article 3(2) is the monitoring of data subject behaviour in the EU. “Monitoring behaviour” includes tracking individuals on the Internet to analyze or predict their personal preferences, behaviours and attitudes.

According to the EDPB Guidelines, in order for the GDPR to apply, the monitoring must relate to a data subject in the EU and the monitored behaviour must take place within the territory of the EU. The EDPB Guidelines state that “monitoring” does not exclusively mean tracking a person on the Internet, but can also include tracking through other types of network or technology, such as wearable and other smart devices. The EDPB Guidelines also provide that not every online collection or analysis of personal data of individuals in the EU will automatically count as “monitoring” within the meaning of Article 3(2), and that there must be subsequent behavioural analysis or profiling involving that data, for it to constitute “monitoring.”

The EDPB Guidelines go on to list examples of monitoring activities, including “online tracking through the use of cookies or other tracking techniques such as fingerprinting.” In this regard, using cookies on a website that is accessible to EU residents will be enough to trigger the application of the GDPR, potentially capturing Canadian charities and not-for profits. Other examples of “monitoring” that are listed include targeted advertisements to consumers based on their browsing behavior; closed circuit TV and various online activities related to an individual’s health status or diet.

If a Canadian charity or not-for profit is caught by the GDPR due to Article 3(2), it is required to designate a representative within the EU who is mandated to ensure its compliance with the GDPR. Failure to appoint a representative or failure to make the identity of the representative available to data subjects would be a breach of the GDPR, exposing it to the significant penalties available. The Canadian charity or not-for-profit would be able to avoid the obligation to appoint a representative if it can demonstrate that its data processing is “occasional”, does not include, on a large scale, processing of certain categories of particularly sensitive data, and does not pose a risk to the rights and freedoms of natural persons.

Given the significant penalties for non-compliance, Canadian charities and not-for-profits that may be caught by the GDPR should implement a plan to bring themselves into compliance as soon as possible.


Read the January 2019 Charity & NFP Law Update