Questions regarding the territorial scope of the GDPR

Datum

26.07.2023

Številka

07121-1/2023/980

Kategorije

Razno

The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your question regarding the territorial scope of the GDPR and supervisory powers of the Information Commissioner.

As a preliminary remark, the Information Commissioner recalls that it cannot assess the lawfulness of processing of personal data or potential infringements of the rights of the data subjects outside of an inspection or other administrative procedure. We therefore only provide general explanations and legal background regarding your questions.

The Information Commissioner notes, that the mere fact that a company established in Montenegro is owned by a company established in Slovenia (or any other EU Member State) is not a decisive factor when determining whether the GDPR applies, but it is necessary to assess whether the conditions stipulated in Article 3 of the GDPR are met in the case at hand.

Pursuant to Article 3 of the GDPR, the regulation applies to the processing of personal data in two situations:

1.if personal data is processed in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not;

2.if personal data of data subjects who are in the Union is processed by a controller or processor not established in the Union, where the processing activities are related to:

(a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

When assessing whether personal data is processed in the context of the activities of an establishment of a controller or a processor in the Union, (1) it is, first, necessary to identify who is the controller or processor of personal data; (2) second, it must be determined whether the controller or processor has an establishment in the EU; and (3) third, it needs to be assessed whether processing in question is carried out in the context of the activities of this establishment.

GDPR defines the controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR). In accordance with the accountability principle, the controller is responsible for, and must be able to demonstrate compliance with the GDPR. Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR). Allocation of roles of controller and processor must be based on factual elements taking into account all circumstances surrounding the processing of personal data.

Once the role of the controller is determined, it must be assessed, whether it has an establishment in the EU. Pursuant to Recital 22 of the GDPR, an establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. In line with the EDPB Guidelines 3/2018 on the territorial scope of the GDPR, the notion of an establishment is broad and cannot be equated with the place of registration of an undertaking. However, pursuant to the jurisprudence of the CJEU, it cannot be considered that a non-EU undertaking without subsidiary or branch in the EU has an establishment in the EU merely because the undertaking’s website is accessible in the Union.[1]

Pursuant to the information from your inquiry, the Information Commissioner cannot determine neither who is the controller in the present case, nor whether a controller has an establishment in the EU, therefore it cannot confirm nor deny whether it is competent to handle a complaint against a company in Montenegro. In principle, the Information Commissioner could be competent to deal with the complaint of an employee of a company operating in Montenegro, if the company is a controller or processor with an establishment in the EU and personal data is processed in the context of the activities of such establishment.

Kind regards,

Mojca Prelesnik, Information Commissioner of the Republic of Slovenia

---

[1]Verein für Konsumenteninformation v. Amazon EU Sarl, Case C‑191/15, 28 July 2016, para.76.