New clarifications on territorial scope of GDPR: what should be taken into account by Ukrainian pharmaceutical companies and their offices

On 12 November 2019 the European Data Protection Board (EDPB) has released the fourth, updated version of the Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (GDPR), adopted after consultation with the public. As in previous editions, the emphasis is on the practical application of two criteria for the extension of the action of the GDPR to a controller or processor: an „establishment“ of a controller or processor in the EU and „targeting“ (the targeting of activities).

Establishment Criterion of Activities in the EU

In the context of an establishment of a controller or processor in the EU, it is recommended to use the three-step test:

1. The presence of an establishment in the EU, which equals the implementation of effective and real activity through stable arrangements, regardless of its legal form (subsidiary, office, branch). In particular, the stable presence of a single employee in the EU, if he performs his functions for a certain time and steadily, could be sufficient to consider that an entity has an establishment in the EU.

For example, a pharmaceutical company registered in Australia has a representative office in Berlin, that is involved in all activities, including the promotion of medicines in the EU.

2. The processing of personal data is carried out in the context of the activities of such an establishment. Most importantly, there are income-generating in the EU and the relationship of a controller or processor outside of the EU with its establishment in the EU. If an inextricable link is established between the processing of personal data of a controller or processor outside of the EU and acting for an EU-based customer, such a controller or processor will be subject to the GDPR.

For example, it is precisely by this criterion that the GDPR will not apply to a cosmetic company that operates through its website, available in different EU languages, if it does not have an office, representative office or other stable presence in the EU.

3. The processing of personal data is carried out in the context of the activities of such an establishment, regardless of whether the personal data itself is processed in the EU.

For example, personal data related to the clinical trials of a pharmaceutical company registered in France are processed in the Japanese subsidiary of such a company.

If these steps are applicable, then the GDPR applies to the appropriate controller or processor.

Targeting (the targeting of activities) of a controller or processor

In the absence of an establishment in the EU, the GDPR may apply to legal entities for ist extraterritorial action. In this case, the targeting criterion (the targeting of activities) of a controller or processor is applied.

The targeting of the activities is determined by two factors:

• Stay of personal data subjects in the EU (they do not have to be citizens of any of the EU member states).
• An offer to sell products, provide services or monitor the activities of such personal data entities.

To understand the targeting criteria applied to your company, you need to answer the following questions:

• Is it proposed the delivery of products, the provision of services to any of the EU member states?
• Is the website version available in EU languages?
• Is the address or telephone number mentioned on the website available from any of the EU member states?
• Is a top-level domain name from any of the EU or EU member states used for the site?
• Is there a payment for products / services in Euros or one of the EU currencies?
• Is any of the EU member states indicated along with the name of the product / service?
• Is there a payment for the search engine operator in order to facilitate access to the site for consumers in the EU?
• Are there any marketing activities, advertising campaigns aimed at consumers in the EU?
• Is the activity international in nature (e.g. tourism)?
• Are there any instructions on how best to get to the place of service in any of the EU member states (for example, to the hospital)?
• Are there any references to foreign customers from various EU member states or recommendations made by them on the site?

The consequences of non-compliance with the GDPR requirements for companies

The GDPR distinguishes 2 categories of administrative fines that EU supervisors can impose for violating the GDPR:

1. Up to 10 million Euros or, in the case of an enterprise, up to 2% of the total global annual turnover for the previous financial year, depending on how much is higher, for the following violations:

• on the conditions for the consent of a child on the sites in accordance with Article 8 of the GDPR;
• data processing, does not require identification according to Article 11 of the GDPR;
• general duties of a controller and processor, including violation of the principle of “data protection for its intended purpose and default”, the security of personal data in accordance with Articles 25-39 of the GDPR;
• certification in accordance with Article 42 of the GDPR;
• certification bodies in accordance with Article 43 of the GDPR.

2. Up to 20 million Euros or, in the case of an enterprise, up to 4% of the total global annual turnover for the previous financial year, depending on how much is higher, for the following violations:

• basic principles for the processing of personal data in accordance with Article 5 of the GDPR;
• the legality of the processing of personal data in accordance with Article 6 of the GDPR;
• conditions for granting consent in accordance with Article 7 of the GDPR;
• processing special categories of personal data in accordance with Article 9 of the GDPR;
• violation of the rights of data subjects in accordance with Articles 12-22 of the GDPR;
• violation of the procedure for the transfer of personal data to the recipient in a third country or international organization in accordance with Articles 44-49 of the GDPR;
• violation of any obligations in accordance with the law of a member state to expand the requirements of the GDPR;
• non-compliance with a regulation or a temporary or final restriction on the processing or suspension of data flows of the EU supervisory authority in accordance with Article 58 (2) of the GDPR or failure to provide access as a violation of Article 58 (1) of the GDPR.

For all questions about the need to implement the GDPR requirements for the activities of your company, please contact Oleksiy Bezhevets, a partner, bezhevets@l-a.com.ua.