European Data Protection Board publishes important guidelines on territoriality and Data Protection by Design and Default

Guidelines on territorial scope of the GDPR

On 12 November 2019, the European Data Protection Board (“EDPB”) published its revised “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)”. In its Guidelines, the EDPB clarifies the territorial scope of the GDPR. The revised Guidelines are published further to a public consultation that took place in the beginning of this year. This long process shows not only the importance of the subject matter but also its complexity in the context of worldwide data flows.

Article 3 of the GDPR represents an important evolution of the EU data protection law compared to Directive 95/46/EC, its predecessor. It reflects the intention of the EU legislator to ensure a comprehensive protection of the rights of data subjects located in the EU. It also establishes a level playing field in terms of data protection requirement for companies active on the EU markets wherever they are located. The Guidelines aim to ensure a consistent application of the Regulation when assessing whether particular processing by a controller or a processor falls within the territorial scope of the new EU legal framework.

The final version of the Guidelines provide useful clarifications for service providers located outside the EU but providing services to companies located in the EU as well as for companies located in the EU acting as representative of companies located outside the EU.

The revised Guidelines on territoriality can be consulted here.

Guidelines on Data Protection by Design and Default

On 20 November 2019, the EDPB further published the first draft “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default”. The principles of Data Protection by Design and Default (DPbDD) requires controllers to implement (and demonstrate) appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects.

These Guidelines are now open for public consultation and feedback until 16 January 2020, after which they will be finalised by the EDPB.

The new Guidelines on DPbDD can be consulted here.