Header graphic for print
Steptoe Cyberblog

European Data Protection Board Adopts Draft Guidelines on Territorial Scope of General Data Protection Regulation (GDPR)

Posted in Data Breach, European Union, International, Security Programs & Policies

The European Data Protection Board (EDPB) is an independent advisory body, established by the GDPR, that issues guidelines, recommendations, and best practices for the application of the GDPR.

At its Third Plenary on September 26, the EDPB adopted new draft guidelines on the GDPR’s territorial scope.

These guidelines should help provide a common interpretation of the broad territorial scope of the GDPR, often referred to as its long-arm jurisdiction, and further clarify how the GDPR applies to data controllers or processors established outside of the EU – for example, in the US – targeting individuals in the EU. The Guidelines will include guidance on the requirement to designate a representative in the EU. This is required unless the processing is carried out by a private entity or natural person and (i) is occasional, (ii) does not include, on a large scale, processing of special categories of data or data relating to criminal convictions and offences, and (iii) is unlikely to result in a risk to the rights and freedoms of natural persons.

The guidelines will be subject to public consultation, via the EDPB’s consultation link available here.