Dovolujeme si upozornit členy Spolku na ochranu osobních údajů o probíhající konzultaci EDPB k čl. 3 GDPR.
Jak jste byli informováni na Workplace spolku, EDPB (Evropský sbor pro ochranu osobních údajů) spustil tuto veřejnou konzultaci za účelem shromáždění komentářů a připomínek ke svému stanovisku (výkladu) čl. 3 GDPR.
Lhůta pro zaslání komentářů k tomuto stanovisku je do 18. ledna 2019.
Vzhledem k tomu, že Spolek pro ochranu osobních údajů bude připravovat vlastní stanovisko, které budeme odesílat přímo EDPB, dovolujeme si Vás tímto požádat o Vaše komentáře či připomínky ke zveřejněnému stanovisku (viz diskuze na Workplace nebo formou emailové zprávy na firstname.lastname@example.org), a to nejpozději do 15. ledna 2019.
The European Data Protection Board welcomes comments on the Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). Such comments should be sent to the following address by 18 January 2019 at the latest: EDPB@edpb.europa.eu
Please note that, by submitting your comments, you acknowledge that your comments might be published on the EDPB website.
In addition, if your comments also contain personal data, and you accept the publication of such data, please include the following sentence, either at the end of your comments, or in the covering message: I/we hereby consent to the publication of personal data contained in this/the attached document.
At the opposite, if your comments also contain personal data/business secrets and/or any other data and you do not wish them to be made public please also provide us with a non-confidential version of your comments.
Please, note that regardless the option chosen, your contribution may be subject to a request for access to documents under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents. In this case the request will be assessed against the conditions set out in the Regulation and in accordance with applicable data protection rules.
Adopted on 16 November2018
The territorial scope of General Data Protection Regulation1 (the GDPR) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC2. In part, the GDPR confirms choices made by the EU legislator and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. However, important new elements have been introduced. Most importantly, the main objective of Article 4 of the Directive was to define which Member State’s national law is applicable, whereas Article 3 of the GDPR defines the territorial scope of a directly applicable text. Moreover, while Article 4 of the Directive made reference to the ‘use of equipment’ in the Union’s territory as a basis for bringing controllers who were “not established on Community territory” within the scope of EU data protection law, such a reference does not appear in Article 3 of the GDPR. Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of EU data subjects’ rights and to establish, in terms of data protection requirement, a level playing field for companies active on the EU markets, in a context of worldwide data flows. Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the “establishment” criterion, as per Article 3(1), and the “targeting” criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where Member State law applies by virtue of public international law. Through a common interpretation by data protection authorities in the EU, these guidelines seek to ensure a consistent application of the GDPR when assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework. In these guidelines, the EDPB sets out and clarifies the criteria for determining the application of the territorial scope of the GDPR. Such a common interpretation is also essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR.
As controllers or processors not established in the EU but engaging in processing activities falling within Article 3(2) are required to designate a representative in the Union, these guidelines will also provide clarification on the process for the designation of this representative under Article 27 and its responsibilities and obligations. As a general principle, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. These guidelines will however specify the various scenarios that may arise, depending on the type of processing activities, the entity carrying out these processing activities or the location of such entities, and will detail the provisions applicable to each situation. It is therefore essential that controllers and processors, especially those offering goods and services at international level, do undertake a careful and in concreto assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of the GDPR.