《GDPR第3条域外效力指南》(2019版)全文翻译
《GDPR第3条域外效力指南》(2019版)全文翻译
2019年11月12日,欧洲数据保护委员会(European Data Protection Board, “EDPB”)对外发布了针对《通用数据保护条例》(GDPR)域外适用效力的最终指南。
《通用数据保护条例(GDPR)》的领土适用范围由该条例的第3条确定,与欧盟95/46 / EC2指令所定义的框架相比,这代表了欧盟数据保护法的重大变化。GDPR第3条反映了立法者为欧盟的数据主体提供更全面的法律保护,并在全球数据流动的背景下,为活跃在欧盟市场上的公司在数据保护要求方面建立一个公平竞争环境。
GDPR对于我国业务范围涉及欧盟成员国领土及其公民的企业进行合规运营、避免高昂处罚,以及对我国与数据相关的研究都具重要意义。本文就《GDPR第3条域外效力指南》进行了全文翻译,具体如下:
(英文原文) | (中译文) |
The European Data Protection Board | 欧洲数据保护委员会 |
Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. | 考虑到欧洲议会和委员会于 2016 年 4 月 27 日颁布的第 2016/679/EU 号法规第 70 (1)(e) 条中关于处理个人信息时对数据主体权益的保护要求和个人信息自由流动的相关规定,同时为废除 95/46/EC 指令。 |
HAS ADOPTED THE FOLLOWING GUIDELINES: | 制定了下列准则: |
INTRODUCTION | 引言 |
The territorial scope of General Data Protection Regulation (the GDPR or the Regulation) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC2 . In part, the GDPR confirms choices made by the EU legislator and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. However, important new elements have been introduced. Most importantly, the main objective of Article 4 of the Directive was to define which Member State’s national law is applicable, whereas Article 3 of the GDPR defines the territorial scope of a directly applicable text. Moreover, while Article 4 of the Directive made reference to the ‘use of equipment’ in the Union’s territory as a basis for bringing controllers who were “not established on Community territory” within the scope of EU data protection law, such a reference does not appear in Article 3 of the GDPR. | 《通用数据保护条例》 (以下简称“GDPR”或“《条例》”)第三条规定了该条例适用的地域范围,与95/46/EC指令所规定的范围相比有了重大变化。在一定程度上,GDPR确认了欧盟立法者和法院在95/46/EC指令中的立场,但也引入了新的考量因素。其中最重要的是,95/46/EC指令第4条的主要目的在于规定哪些成员国的国内法可以适用,而GDPR第3条直接规定了此条例适用的地域范围。此外,根据95/46/EC指令第4条的规定,将“非设立在欧盟境内的”经营者纳入欧盟数据保护法适用范围的前提是其使用了位于欧盟领土内的“设备”处理个人信息,但是GDPR第3条中并未采纳此种说法。 |
Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of the rights of data subjects in the EU and to establish, in terms of data protection requirement, a level playing field for companies active on the EU markets, in a context of worldwide data flows. | GDPR第3条反映了立法者为欧盟的数据主体提供更全面的法律保护,并在全球数据流动的背景下,为活跃在欧盟市场上的公司在数据保护要求方面建立一个公平竞争环境。
|
Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the “establishment” criterion, as per Article 3(1), and the “targeting” criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to relevant processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where Member State law applies by virtue of public international law. | GDPR第3条主要依据两个标准对该法适用的地域范围进行界定:第3条第(1)款规定的“实体”标准;以及第3条第(2)款规定的“目标指向”标准。符合前述两标准其一的控制者或者处理者对个人数据的相关处理应遵循 GDPR的有关规定。此外,第3条第(3)款规定,如根据国际公法的约定须适用欧盟成员国法律的,应当适用 GDPR。
|
Through a common interpretation by data protection authorities in the EU, these guidelines seek to ensure a consistent application of the GDPR when assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework. In these guidelines, the EDPB sets out and clarifies the criteria for determining the application of the territorial scope of the GDPR. Such a common interpretation is also essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. | 本指南旨在通过对条例的统一解释,以确保欧盟不同数据保护机构在评估由控制者或处理者进行的特定处理是否属于GDPR适用范围时,能够形成一致意见。通过本指南,EDPB规定并明确了GDPR适用地域范围的标准。这种一致性意见对于欧盟内外的控制者和处理者也是十分重要,以便他们据此评估在某一特定处理活动中是否需要遵守GDPR。
|
As controllers or processors not established in the EU but engaging in processing activities falling within Article 3(2) are required to designate a representative in the Union, these guidelines will also provide clarification on the process for the designation of this representative under Article 27 and its responsibilities and obligations. | 鉴于未设立在欧盟境内但从事第 3 条(2)款所述处理活动的控制者或处理者需要在欧盟境内指定一名代表人,本指南也将对第27条中指定该代表的程序及其责任和义务做出明确说明。 |
As a general principle, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. These guidelines will specify the various scenarios that may arise, depending on the type of processing activities, the entity carrying out these processing activities or the location of such entities, and will detail the provisions applicable to each situation. It is therefore essential that controllers and processors, especially those offering goods and services at international level, undertake a careful and in concreto assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of the GDPR. | 一般而言,EDPB认为个人数据的处理若属于 GDPR管辖范围,则应适用GDPR的全部规定。但是,本指南将根据数据处理活动的类型、开展数据处理活动的实体类型或该主体的所在地,具体列明GDPR在可能发生的各种情形下的适用。因此,数据控制者和处理者,特别是面向全球提供产品和服务的控制者和处理者必须对其处理活动进行仔细且具体的评估,以确定相关的个人数据处理活动是否受 GDPR的约束。 |
The EDPB underlines that the application of Article 3 aims at determining whether a particular processing activity, rather than a person (legal or natural), falls within the scope of the GDPR. Consequently, certain processing of personal data by a controller or processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not, depending on the processing activity. | EDPB强调,第3条的适用旨在确定某一特定的处理行为是否属于 GDPR规制的范围,而不是某一个人(法人或者自然人)是否属于GDPR的规制范围。因此,控制者或处理者对个人数据的某些处理行为可能属于GDPR的规制范围,但同一控制者或处理者对个人数据的其他处理行为可能不属于GDPR的规制范围。 |
These guidelines, initially adopted by the EDPB on 16 November, have been submitted to a public consultation from 23rd November 2018 to 18th January 2019 and have been updated taking into account the contributions and feedback received. | EDPB最初于2018年11月16日通过此指南,并于2018年11月23日至2019年1月18日向社会征求意见,并根据收到的意见和反馈进行了更新。 |
1 APPLICATION OF THE ESTABLISHMENT CRITERION - ART 3(1) | 1.“实体”标准的应用-第3条第(1)款 |
Article 3(1) of the GDPR provides that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” | GDPR第3条第(1)款规定,“本条例适用于控制者或处理者设立在欧盟境内的实体进行的对个人数据的处理行为,无论其处理行为是否发生在欧盟境内”。 |
Article 3(1) GDPR makes reference not only to an establishment of a controller, but also to an establishment of a processor. As a result, the processing of personal data by a processor may also be subject to EU law by virtue of the processor having an establishment located within the EU. | GDPR第3条第(1)款不仅适用于控制者,同时也适用于处理者。因此,处理者对个人数据的处理活动也可能因为其在欧盟境内设有实体而受到欧盟法律的约束。 |
Article 3(1) ensures that the GDPR applies to the processing by a controller or processor carried out in the context of the activities of an establishment of that controller or processor in the Union, regardless of the actual place of the processing. The EDPB therefore recommends a threefold approach in determining whether or not the processing of personal data falls within the scope of the GDPR pursuant to Article 3(1). | 第 3 条第(1)款保证了 GDPR 对控制者或处理者在其欧盟境内的实体进行的个人数据的处理行为,不论实际发生的处理的所在地为何。因此,EDPB 建议在根据第 3 条第(1)款来确定个人数据的处理是否属于 GDPR 的规制范围时应从三个维度进行评估。 |
The following sections clarify the application of the establishment criterion, first by considering the definition of an ‘establishment’ in the EU within the meaning of EU data protection law, second by looking at what is meant by ‘processing in the context of the activities of an establishment in the Union’, and lastly by confirming that the GDPR will apply regardless of whether the processing carried out in the context of the activities of this establishment takes place in the Union or not. | 以下各节将阐明“实体标准”的应用:首先应考虑在欧盟数据保护法意义下“实体”的定义;其次应考虑“在欧盟境内的实体营业范围内进行的个人数据处理”的含义;最后确认无论此实体进行的数据处理行为是否发生在欧盟境内,GDPR都将适用。 |
a) “An establishment in the Union” | a) “在欧盟境内的实体” |
Before considering what is meant by “an establishment in the Union” it is first necessary to identify who is the controller or processor for a given processing activity. According to the definition in Article 4(7) of the GDPR, controller means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A processor, according to Article 4(8) of the GDPR, is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. As established by relevant CJEU case law and previous WP29 opinion, the determination of whether an entity is a controller or processor for the purposes of EU data protection law is a key element in the assessment of the application of the GDPR to the personal data processing in question. | 在考虑“在欧盟境内的实体”的含义之前,首先需要确定实施处理活动的数据控制者与数据处理者的身份。根据 GDPR 第 4 条第(7)款规定,数据控制者是“能单独或共同决定个人信息的处理目的和方式的自然人、法人、公共机构、行政机关或其他非法人组织。” 根据 GDPR 第 4 条第(8)款的规定,数据处理者是“为数据控制者处理个人信息的自然人、法人、公共机构、行政机关或其他实体。”根据相关欧洲法院判例和此前第29条工作组发布的指南[1]的规定,确定一个实体是否是欧盟数据保护法中界定的数据控制者或处理者是评估相关个人数据处理活动是否适用GDPR的关键。 |
While the notion of “main establishment” is defined in Article 4(16), the GDPR does not provide a definition of “establishment” for the purpose of Article 34. However, Recital 225 clarifies that an“[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” | 虽然 GDPR 第 4 条第(16)款对“主要实体”进行了定义,但未对第3条中“实体”进行定义。但序言第 22 条对“实体”存在如下说明,即“实体”意味着通过稳定的安排有效且真实地开展活动,而该等安排的法律形式(无论是通过分支机构或具有法律人格的子公司)并非判断其是否可以成为实体的决定性因素”。 |
This wording is identical to that found in Recital 19 of Directive 95/46/EC, to which reference has been made in several CJEU rulings broadening the interpretation of the term “establishment”, departing from a formalistic approach whereby undertakings are established solely in the place where they are registered. Indeed, the CJEU ruled that the notion of establishment extends to any real and effective activity — even a minimal one — exercised through stable arrangements. In order to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. | 这一措辞与95/46/EC指令的序言第19条的措辞相同,并被欧洲法院在多个判决中引用。与企业的实体为其公司登记地[2]的形式主义方法不同,欧洲法院扩大了对“实体”一词的解释。事实上,欧洲法院通过判决将实体的概念延伸到任何通过稳定的安排进行真正有效活动的场所,即便活动量极少。为了确定在设立在欧盟境外的实体在欧盟成员国内是否有实体,必须基于活动和提供服务的特定性质来判断安排的稳定程度和在该成员国从事活动的有效性,特别是在确认专门通过互联网提供服务的企业是否在欧盟境内有实体这一情况。
|
The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee. | 当数据控制者的活动涉及在线提供服务时,“稳定安排[3]”的门槛实际上可能相当低。因此,在某些情况下,如果该雇员或代理人的行为具有足够的稳定性,则非欧盟实体在欧盟境内拥有一名雇员或代理人可能足以满足“稳定的安排”(符合GDPR第3条第(1)款规定的“实体”)这一要求。与之相反,如果一名员工在欧盟工作,但数据处理行为并不是此在欧盟境内的员工的活动范围(即该处理活动与欧盟境外控制者的活动范围相关),则该员工在欧盟境内的存在并不会导致该数据处理行为适用GDPR。换言之,仅凭在欧盟境内存在雇员这一条件,不足以触发 GDPR适用,所涉处理活动必须属于欧盟境内雇员的营业活动范围才能适用 GDPR。 |
The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law. Although the notion of establishment is broad, it is not without limits. It is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union. | 负责数据处理的非欧盟实体在欧盟成员国没有分支机构或子公司这一事实并不妨碍其构成欧盟数据保护法项下的在欧盟境内拥有实体。虽然实体的概念较为广泛,但并非没有限制。不能仅仅因为企业的网站可在欧盟境内访问,就断定该非欧盟实体在欧盟境内拥有实体[4]。 |
Example 1: A car manufacturing company with headquarters in the US has a fully-owned branch office located in Brussels overseeing all its operations in Europe, including marketing and advertisement. The Belgian branch can be considered to be a stable arrangement, which exercises real and effective activities in light of the nature of the economic activity carried out by the car manufacturing company. As such, the Belgian branch could therefore be considered as an establishment in the Union, within the meaning of the GDPR. | 例 1:总部设在美国的一家汽车制造公司在布鲁塞尔设立了全资分支机构,负责监督其在欧洲的包括营销和广告在内的所有业务。比利时分支机构可以被认为是稳定的安排,根据此汽车制造公司的经济活动的性质开展了真实有效的活动。因此,比利时分支机构可以被视为是GDPR项下在欧盟境内的实体。 |
Once it is concluded that a controller or processor is established in the EU, an in concreto analysis should then follow to determine whether the processing in question is carried out in the context of the activities of this establishment, in order to determine whether Article 3(1) applies. If a controller or processor established outside the Union exercises “a real and effective activity - even a minimal one” - through “stable arrangements”, regardless of its legal form (e.g. subsidiary, branch, office…), in the territory of a Member State, this controller or processor can be considered to have an establishment in that Member State11. It is therefore important to consider whether the processing of personal data takes place “in the context of the activities of” such an establishment as highlighted in Recital 22. | 一旦得出控制者或处理者在欧盟拥有实体的结论,则随后应进行结合具体情况进行分析,以确定数据处理活动是否属于该实体的营业活动范围,并进一步确认第 3 条第(1)款是否适用。如果在欧盟境外的数据控制者或处理者通过 “稳定安排”,在欧盟成员国内开展了“真实、有效的活动——哪怕这种活动量很小”,无论其法律形式为何(例如子公司,分支机构,办公室等),该控制者或处理者可被视为在该成员国拥有实体[5]。因此,下一步则需要考量个人数据的处理是否属于序言第 22 条中强调在此类实体“进行的活动”。 |
b) Processing of personal data carried out “in the context of the activities of” an establishment | b) 在实体的“经营活动范围内”进行的个人数据处理活动。 |
Article 3(1) confirms that it is not necessary that the processing in question is carried out “by” the relevant EU establishment itself; the controller or processor will be subject to obligations under the GDPR whenever the processing is carried out ”in the context of the activities” of its relevant establishment in the Union. The EDPB recommends that determining whether processing is being carried out in the context of an establishment of the controller or processor in the Union for the purposes of Article 3(1) should be carried out on a case-by-case basis and based on an analysis in concreto. Each scenario must be assessed on its own merits, taking into account the specific facts of the case. | 第 3 条第(1)款的适用不以由设立在“欧盟境内的实体”进行处理为必要条件。如果该处理行为属于“欧盟境内实体的营业范围”,则控制者或处理者就该处理行为应承担 GDPR 规定的义务。EDPB 建议,某处理行为是否属于GDPR第3条第(1)款规定的欧盟境内实体的营业活动应进行个案分析,每种情况都必须结合案件的具体事实和相关背景进行确认。 |
The EDPB considers that, for the purpose of Article 3(1), the meaning of “processing in the context of the activities of an establishment of a controller or a processor” is to be understood in light of the relevant case law. On the one hand, with a view to fulfilling the objective of ensuring effective and complete protection, the meaning of “in the context of the activities of an establishment” cannot be interpreted restrictively12. On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law. Some commercial activity carried out by a non-EU entity within a Member State may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring the data processing by the non-EU entity within the scope of EU data protection law. | EDPB 认为,应根据相关判例理解第 3 条第(1)款规定的在“控制者或处理者在欧盟境内的实体营业活动范围内进行的对个人数据处理”的含义。一方面,为了实现全面有效的保护目标,不应对其含义进行限缩性解释[6];另一方面,也不应进行过于宽泛的解释,以致欧盟境内实体的营业活动与非欧盟实体的数据处理活动的关联度非常弱时,也将这种处理纳入欧盟数据保护法的适用范围。例如,非欧盟实体在成员国内进行的某些商业活动可能与该实体的数据处理活动关联性极弱,故而该实体在欧盟内进行的商业活动中涉及的数据处理活动不应受欧盟数据保护法的规制[7]。 |
Consideration of the following two factors may help to determine whether the processing is being carried out by a controller or processor in the context of its establishment in the Union | 以下两个因素可以帮助确定数据处理是否属于控制者或处理者在欧盟境内的实体的营业活动: |
i) Relationship between a data controller or processor outside the Union and its local establishment in the Union | i)欧盟境外的数据控制者或处理者与其在欧盟境内的实体之间的关系 |
The data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, and thereby may trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself.[8] If a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data.[9] | 在欧盟境外设立的数据控制者或处理者的数据处理活动可能与在它在欧盟成员国境内设立的实体的活动之间发生不可分割的联系,从而导致欧盟法的适用,即使欧盟境内的实体没有实质上参与该数据处理活动。如果对事实的个案分析表明非欧盟数据控制者或处理者的数据处理活动与其在欧盟境内实体的活动之间存在密切关联,则无论其在欧盟的实体是否参与此数据处理。欧盟法均对该非欧盟实体产生约束力。 |
ii) Revenue raising in the Union Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment”, and may be sufficient to result in the application of EU law to such processing.[10] | ii)有来自欧盟境内的收入 若欧盟境内某实体在欧盟进行了营收活动,且该营收活动与在欧盟境外进行的个人数据处理活动和欧盟居民“紧密关联”,则可认定“该非欧盟的控制者或处理者的处理活动属于在欧盟境内实体进行的营业活动”,该等处理活动进而可能因此受到欧盟法规制。
|
The EDPB recommends that non-EU organisations undertake an assessment of their processing activities, first by determining whether personal data are being processed, and secondly by identifying potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the Union. If such a link is identified, the nature of this link will be key in determining whether the GDPR applies to the processing in question, and must be assessed inter alia against the two elements listed above. | EDPB建议非欧盟组织对其处理活动进行评估,评估内容为:首先确定是否处理个人数据;其次确定处理数据活动与该组织在欧盟内的任何活动之间的潜在关联。如果确定存在这种关联,则这种关联的性质将是决定数据处理是否适用GDPR的关键,组织应根据上述列出的两个要素进行评估。 |
Example 2: An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. In this case, it can be considered that the activities of the European office in Berlin are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website, insofar as the commercial prospection and marketing campaign towards EU markets notably serve to make the service offered by the e-commerce website profitable. The processing of personal data by the Chinese company in relation to EU sales is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market. The processing of personal data by the Chinese company in connection with EU sales can therefore be considered as carried out in the context of the activities of the European office, as an establishment in the Union. This processing activity by the Chinese company will therefore be subject to the provisions of the GDPR as per its Article 3(1)”. | 例2:某电子商务网站由一家中国公司运营。该公司的个人数据处理活动仅在中国进行。这家中国公司已在柏林设立了欧洲办公室,以领导并实施针对欧盟市场的商业拓展和营销活动。 在此案中,鉴于在欧洲市场开展商业拓展和营销活动的营利性,柏林欧洲工作室进行的商业拓展和市场营销活动可以被认定为与该中国公司在中国进行的数据处理行为密切关联。 因此,中国公司处理与欧盟销售有关的个人数据可以被认定为是在欧盟的实体进行的营业活动。因此,中国公司进行的处理活动应遵守GDPR第3条第(1)款的规定。 |
Example 3: A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU. In this case, in the absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union, it appears that no entity linked to this data controller in South Africa can qualify as an establishment in the EU within the meaning of the GDPR. Therefore the processing at stake cannot be subject to the provisions of the GDPR, as per Article 3(1). However, it must be analysed in concreto whether the processing carried out by this data controller established outside the EU can be subject to the GDPR, as per Article 3(2). | 例3:南非的一家连锁度假酒店通过其网站提供成套交易,并提供英语,德语,法语和西班牙语服务。该公司在欧盟没有任何办公室,代表或稳定的安排。 在本案中,该连锁酒店在欧盟境内没有任何代表人或稳定部署,似乎没有任何实体与此南非的数据控制者有联系,使其有在 GDPR 项下的欧盟境内的实体。因此,相关数据处理不受GDPR第3条第(1)款规定的约束。 但是,欧盟境外的数据控制者所进行的数据处理是否受GDPR第3条第(2)款的约束必须另行具体分析。 |
c) Application of the GDPR to the establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not | c) GDPR应用于欧盟境内的控制者或处理者的实体,而处理是否在欧盟内进行在所不论 |
As per Article 3(1), the processing of person l data in the context of the activities of an establishment of a controller or a processor in the Union triggers the application of the GDPR and the related obligations for the data controller or processor concerned. The text of the GDPR specifies that the Regulation applies to processing in the context of the activities of an establishment in the EU “regardless of whether the processing takes place in the Union or not”. It is the presence, through an establishment, of a data controller or processor in the EU and the fact that a processing takes place in the context of the activities of this establishment that trigger the application of the GDPR to its processing activities. The place of processing is therefore not relevant in determining whether or not the processing, carried out in the context of the activities of an EU establishment, falls within the scope of the GDPR. | 根据GDPR第 3 条第(1)款的规定,属于控制者或处理者在欧盟境内实体的营业活动的数据处理活动会触发 GDPR 的适用,数据控制者或处理者因此而需履行GDPR项下的相关义务。
GDPR 明确规定,本条例适用于在欧盟境内实体营业活动内的处理行为,“无论处理行为是否在欧盟内进行”。数据控制者或处理者在欧盟内的实体的存在,和数据处理行为属于此实体的营业活动的事实,触发了GDPR对此数据处理活动的适用。因此,在确定数据处理是否是在欧盟实体的营业活动范围内进行,而适用GDPR时,数据处理的地理位置不是考虑因素。 |
Example 4: A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. While the collection of personal data takes place in non-EU countries, the subsequent processing of personal data in this case is carried out in the context of the activities of an establishment of a data controller in the Union. Therefore, even though processing relates to personal data of data subjects who are not in the Union, the provisions of the GDPR will apply to the processing carried out by the French company, as per Article 3(1). | 例4:某法国公司专门面向摩洛哥,阿尔及利亚和突尼斯的客户开发了一款汽车共享应用程序。该服务仅在这三个国家/地区可用,但所有个人数据处理活动均由在法国的数据控制者进行。 尽管个人数据的收集是在非欧盟国家/地区进行的,但是个人数据的后续处理是数据控制者在欧盟境内的实体进行的营业活动范围内。因此,即使处理的个人数据对应的数据主体不属于欧盟居民,但根据GDPR第3条第(1)款的规定,该法国公司进行的数据处理活动须受GDPR的约束。 |
Example 5: A pharmaceutical company with headquarters in Stockholm has located all its personal data processing activities with regards to its clinical trial data in its branch based in Singapore. In this case, while the processing activities are taking place in Singapore, that processing is carried out in the context of the activities of the pharmaceutical company in Stockholm i.e. of a data controller established in the Union. The provisions of the GDPR therefore apply to such processing, as per Article 3(1). | 例 5:总部位于斯德哥尔摩的某制药公司将与临床试验数据有关的所有个人数据处理活动都安排给了其位于新加坡的分支机构进行。 在这种情况下,虽然处理活动在新加坡进行,但处理属于斯德哥尔摩制药公司的营业活动,即属于在欧盟境内设立的数据控制者的营业活动。因此,根据GDPR第 3 条第(1)款规定,该数据处理活动应受GDPR 的约束。 |
In determining the territorial scope of the GDPR, geographical location will be important under Article 3(1) with regard to the place of establishment of: - the controller or processor itself (is it established inside or outside the Union?); - any business presence of a non-EU controller or processor (does it have an establishment in the Union?) | 在确定GDPR适用的地域范围,以下两种情况中相关实体所在的地理位置在认定是否属于第3条第(1)款提及的实体非常重要:
|
However, geographical location is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question. | 但是,根据第3条第(1)款的目的,数据处理活动发生的地理位置或被处理的个人数据对应的数据主体的所在地并不重要。 |
The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union. The EDPB therefore considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed. This approach is supported by Recital 14 of the GDPR which states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” | 第 3 条第(1)款并未将GDPR的适用范围局限于在欧盟境内进行的个人数据处理活动。因此,EDPB 认为,控制者或处理者在其位于欧盟境内实体营业活动范围内进行的数据处理活动均受GDPR的约束,无论处理的个人数据对应的数据主体的所在地或国籍如何。这一观点在 GDPR 序言第 14 条也有所体现,该条规定:“本条例提供的保护适用于与个人数据处理有关的自然人,不论其国籍或居住地在何处”。 |
d) Application of the establishment criterion to controller and processor | d)数据控制者和处理者实体标准的应用 |
As far as processing activities falling under the scope of Article 3(1) are concerned, the EDPB considers that such provisions apply to controllers and processors whose processing activities are carried out in the context of the activities of their respective establishment in the EU. While acknowledging that the requirements for establishing the relationship between a controller and a processor[11] does not vary depending on the geographical location of the establishment of a controller or processor, the EDPB takes the view that when it comes to the identification of the different obligations triggered by the applicability of the GDPR as per Article 3(1), the processing by each entity must be considered separately. | 就属于第 3 条第(1)款范围的处理活动而言,EDPB认为此类规定适用于其数据处理活动是属于控制者和处理者在各自欧盟境内实体的营业活动范围的情形。虽然在控制者和处理者之间建立关系的条件与数据控制者或处理者实体的地理位置并无关系,但EDPB认为,当根据GDPR第3条第(1)款判断实体的不同义务时,须对每个实体所进行的数据处理单独分析。 |
The GDPR envisages different and dedicated provisions or obligations applying to data controllers and processors, and as such, should a data controller or processor be subject to the GDPR as per Article 3(1), the related obligations would apply to them respectively and separately. In this context, the EDPB notably deems that a processor in the EU should not be considered to be an establishment of a data controller within the meaning of Article 3(1) merely by virtue of its status as processor on behalf of a controller. | GDPR为数据控制者和处理者规定了不同和专门的规定或义务,因此,如果数据控制者或处理者根据第3条第(1)款须受GDPR的规制时,则将分别负担不同的义务。在这方面,EDPB明确认为,欧盟境内的数据处理者不应仅凭借其代数据控制者的进行处理而被认为是第3条第(1)款意义上的数据控制者的实体。 |
The existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the Union. | 如果数据控制者和数据处理者中有一个不是在欧盟境内设立的,那么两者之间关系的存在不必然导致GDPR对两者都适用。 |
An organisation processing personal data on behalf of, and on instructions from, another organisation (the client company) will be acting as processor for the client company (the controller). Where a processor is established in the Union, it will be required to comply with the obligations imposed on processors by the GDPR (the ‘GDPR processor obligations’). If the controller instructing the processor is also located in the Union, that controller will be required to comply with the obligations imposed on controllers by the GDPR (the ‘GDPR controller obligations’). Processing activity which, when carried out by a controller, falls within the scope of the GDPR by virtue of Art 3(1) will not fall outside the scope of the Regulation simply because the controller instructs a processor not established in the Union to carry out that processing on its behalf. | 一个组织若依另一个组织(客户公司)的指示代表其处理个人数据,则该组织将被认定为是客户公司(数据控制者)的处理者。如果处理者设立在欧盟境内,则该处理者须遵守GDPR对处理者规定的义务(“ GDPR数据处理者义务”)。如果向数据处理者下达指令的数据控制者也位于欧盟,则该数据控制者必须遵守GDPR规定的数据控制者的义务(“ GDPR控制者义务”)。数据控制者进行的数据处理活动符合GDPR第3条第(1)款的规定时,该处理活动将不会仅因为数据控制者指示的代其处理个人数据的处理者位于欧盟境外而逃脱GDPR的规制。
|
i) Processing by a controller established in the EU instructing a processor not established in the Union | i)设立在欧盟境内的控制者指令设立在欧盟境外的处理者进行的数据处理活动。 |
Where a controller subject to GDPR chooses to use a processor located outside the Union for a given processing activity, it will still be necessary for the controller to ensure by contract or other legal act that the processor processes the data in accordance with the GDPR. Article 28(3) provides that the processing by a processor shall be governed by a contract or other legal act. The controller will therefore need to ensure that it puts in place a contract with the processor addressing all the requirements set out in Article 28(3). In addition, it is likely that, in order to ensure that it has complied with its obligations under Article 28(1) – to use only a processor providing sufficient guarantees to implement measures in such a manner that processing will meet the requirements of the Regulation and protect the rights of data subjects – the controller may need to consider imposing, by contract, the obligations placed by the GDPR on processors subject to it. That is to say, the controller would have to ensure that the processor not subject to the GDPR complies with the obligations, governed by a contract or other legal act under Union or Member State law, referred to Article 28(3). | 适用 GDPR 的控制者委托不适用 GDPR 的处理者处理数据时,控制者应通过合同或其他法律文件确保处理者会根据 GDPR 的要求处理数据。GDPR第 28 条第 3 条规定,处理者的数据处理行为应当受合同或其他法律文件约束。因此,控制者须确保与处理者签订的合同中列明GDPR第 28 条第(3)款规定的各项要求。此外,为了确保GDPR第 28 条第 1 款规定的义务的履行—即选择能提供充分保障按照GDPR的要求处理个人数据的处理者,控制者可考虑把 GDPR 对处理者的要求写入与处理者的合同中。也就是说,控制者应参照 GDPR 第 28 条第(3)款的要求,确保不受 GDPR 约束的处理者的处理行为受到合同或欧盟或各成员国法律规定的法律行为的约束。 |
The processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements under Article 28. Moreover, provisions of Chapter V of the GDPR may apply. | 因此,不受 GDPR 管辖的处理者将基于 GDPR 第 28 条规定通过合同规定间接地受到GDPR关于数据控制者的特定义务的约束,也可能适用GDPR 第五章的规定。 |
Example 6: A Finnish research institute conducts research regarding the Sami people. The institute launches a project that only concerns Sami people in Russia. For this project the institute uses a processor based in Canada. The Finnish controller has a duty to only use processors that provide sufficient guarantees to implement appropriate measures in such manner that processing will meet the requirement of the GDPR and ensure the protection of data subjects’ rights. The Finnish controller needs to enter into a data processing agreement with the Canadian processor, and the processor’s duties will be stipulated in that legal act. | 例 6:芬兰研究机构对萨米人进行了研究。该研究所启动某一项目仅涉及俄罗斯萨米人。在这个项目中,研究所委托了位于加拿大的数据处理者处理个人数据。 芬兰的控制者须仅委托能够提供足够的保证,并实施满足GDPR要求的措施保护数据主体权利的处理者。芬兰的数据控制者需要与加拿大的数据处理者签订数据处理协议,该协议将规定数据处理者的责任。 |
ii) Processing in the context of the activities of an establishment of a processor in the Union | ii)在位于欧盟境内的数据处理者的营业活动范围内的数据处理行为 |
Whilst case law provides us with a clear understanding of the effect of processing being carried out in the context of the activities of an EU establishment of the controller, the effect of processing being carried out in the context of the activities of an EU establishment of a processor is less clear. | 虽然判例法使我们清楚地了解到控制者在欧盟境内的实体的营业活动范围内进行的数据处理的影响,而处理者在欧盟实体营业活动范围内的数据处理活动的影响并不清晰。 |
The EDPB emphasises that it is important to consider the establishment of the controller and processor separately when determining whether each party is of itself ‘established in the Union’. | EDPB强调,在考虑数据控制者和数据处理者的实体是否设立在欧盟时,应将两者分开考虑。 |
The first question is whether the controller itself has an establishment in the Union, and is processing in the context of the activities of that establishment. Assuming the controller is not considered to be processing in the context of its own establishment in the Union, that controller will not be subject to GDPR controller obligations by virtue of Article 3(1) (although it may still be caught by Article 3(2)). Unless other factors are at play, the processor’s EU establishment will not be considered to be an establishment in respect of the controller. | 第一个问题是,控制者本身在欧盟境内是否有实体,且在该实体的营业活动范围内进行了数据处理。若控制者的数据处理行为不是发生在位于欧盟境内的实体的营业活动范围内,则该数据控制者不因第3条第(1)款规定而受GDPR 管辖(尽管可能因第3条第(2)款规定受 GDPR 管辖)。除非存在其他因素,否则数据处理者在欧盟境内有实体将不被视为数据控制者在欧盟境内有实体。 |
The separate question then arises of whether the processor is processing in the context of its establishment in the Union. If so, the processor will be subject to GDPR processor obligations under Article 3(1). However, this does not cause the non-EU controller to become subject to the GDPR controller obligations. That is to say, a “non-EU” controller (as described above) will not become subject to the GDPR simply because it chooses to use a processor in the Union. | 另一个问题是处理者的处理行为是否属于欧盟境内实体的营业活动。如果是,则处理者将受到第3条第(1)款规定的GDPR处理者义务的约束。 然而,这并不会导致非欧盟控制者受到GDPR的约束。也就是说,“非欧盟”控制者(如上所述)不会仅因为委托欧盟境内的处理者而受GDPR的约束。 |
By instructing a processor in the Union, the controller not subject to GDPR is not carrying out processing “in the context of the activities of the processor in the Union”. The processing is carried out in the context of the controller’s own activities; the processor is merely providing a processing service which is not “inextricably linked” to the activities of the controller. As stated above, in the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR as per Article 3(2), the EDPB considers that the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR merely because it is processed on its behalf by a processor established in the Union. However, even though the data controller is not established in the Union and is not subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1). | 不受GDPR约束的控制者不会因指示欧盟境内处理者处理个人数据而被认定为属于“处理者在欧盟境内营业活动范围”。 数据处理行为属于控制者自身的营业活动;处理者只是提供处理服务,与控制者的活动没有“不可分割的联系”。 如上所述,对于在欧盟境内设立的数据处理者,并代表在欧盟境外设立且不符合第3条第(2)款规定而不受GDPR约束的控制者进行处理的情形,EDPB认为,控制者的处理活动不会仅因为委托欧盟境内的处理者代其处理而受GDPR的规制,但是处理者将因GDPR第3条第(1)款的规定而受GDPR的约束。
|
Example 7: A Mexican retail company enters into a contract with a processor established in Spain for the processing of personal data relating to the Mexican company’s clients. The Mexican company offers and directs its services exclusively to the Mexican market and its processing concerns exclusively data subjects located outside the Union. In this case, the Mexican retail company does not target persons on the territory of the Union through the offering of goods or services, nor it does monitor the behaviour of person on the territory of the Union. The processing by the data controller, established outside the Union, is therefore not subject to the GDPR as per Article 3(2). The provisions of the GDPR do not apply to the data controller by virtue of Art 3(1) as it is not processing personal data in the context of the activities of an establishment in the Union. The data processor is established in Spain and therefore its processing will fall within the scope of the GDPR by virtue of Art 3(1). The processor will be required to comply with the processor obligations imposed by the regulation for any processing carried out in the context of its activities. | 例7:一家墨西哥零售公司与一家在西班牙建立的处理器签订合同,以处理与墨西哥公司客户有关的个人数据。 这家墨西哥公司专门向墨西哥市场提供服务,且其处理的个人信息仅涉及欧盟境外的数据主体。 在这种情况下,墨西哥零售公司不向欧盟境内居民提供产品或服务,也不监控欧盟境内居民的行为。 因此,设立在欧盟境外的控制者进行处理不因第3条第(2)款的规定而受GDPR的约束。同样,数据控制者的活动不属于在欧盟境内的实体的营业活动范围内,从而不因第3条第(1)款的规定而受到GDPR的约束。 ,GDPR的规定不适用于数据控制者,因为它不在联盟机构的活动范围内处理个人数据。 本案中,数据处理者位于西班牙,因此根据GDPR第3条第1款的规定,其处理行为将受GDPR的规制。处理者在其营业活动范围内进行的数据处理须遵守GDPR关于处理者义务的规定。 。 |
When it comes to a data processor established in the Union carrying out processing on behalf of a data controller with no establishment in the Union for the purposes of the processing activity and which does not fall under the territorial scope of the GDPR as per Article 3(2), the processor will be subject to the following relevant GDPR provisions directly applicable to data processors: | 当在欧盟境内的数据处理者代表在欧盟境外数据控制者处理数据,且不适用GPDR第3条第2款规定时,该处理者应遵守GDPR项下的处理者的义务。
|
-The obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR. |
|
-The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law, as per Article 29 and Article 32(4). |
|
-Where applicable, the processor shall maintain a record of all categories of processing carried out on behalf of a controller, as per Article 30(2) | - 如适用,处理者应按照GDPR第30条第(2)款的要求保留代表控制者进行的所有处理活动的记录。 |
- Where applicable, the processor shall, upon request, cooperate with the supervisory authority in the performance of its tasks, as per Article 31. |
|
-The processor shall implement technical and organisational measures to ensure a level of security appropriate to the risk, as per Article 32. |
|
-The processor shall notify the controller without undue delay after becoming aware of a personal data breach, as per Article 33. |
|
-Where applicable, the processor shall designate a data protection officer as per Articles 37 and 38. |
|
-The provisions on transfers of personal data to third countries or international organisations, as per Chapter V. |
|
In addition, since such processing would be carried out in the context of the activities of an establishment of a processor in the Union, the EDPB recalls that the processor will have to ensure its processing remains lawful with regards to other obligations under EU or national law. Article 28(3) also specifies that “the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.” | 此外,由于此类处理活动属于处理者在欧盟境内的实体的营业活动范围,EDPB要求,处理者必须确保其处理行为遵从了欧盟法或成员国法律的义务。 GDPR第28条第3款还规定,“如果处理者认为控制者的指令违反本条例或其他联盟或成员国数据保护规定,应立即通知控制者。” |
In line with the positions taken previously by the Article 29 Working Party, the EDPB takes the view that the Union territory cannot be used as a “data haven”, for instance when a processing activity entails inadmissible ethical issues, and that certain legal obligations beyond the application of EU data protection law, in particular European and national rules with regard to public order, will in any case have to be respected by any data processor established in the Union, regardless of the location of the data controller. | 根据第29条工作组先前采取的立场,EDPB认为,欧盟不能被用作“数据避风港”。例如,当处理活动涉及不可接受的道德问题时,或存在欧盟数据保护法适用范围以外的某些法律义务,特别是欧洲数据保护法以及国家有关公共秩序的规定时,数据处理者在任何情况下遵守相关规则,不论数据处理者所在国家为何。 |
This consideration also takes into account the fact that by implementing EU law, provisions resulting from the GDPR and related national laws, are subject to the Charter of Fundamental Rights of the Union. | 此外,在执行欧盟法律过程中,GDPR和相关国家法律规定须受《欧盟基本权利宪章》的约束。 |
However, this does not impose additional obligations on controllers outside the Union in respect of processing not falling under the territorial scope of the GDPR | 但是,这并不意味着欧盟境外的控制者的不属于GDPR管辖范围的处理行为须承担额外义务。 |
2 APPLICATION OF THE TARGETING CRITERION – ART 3(2) | 2目标市场指向标准的应用——第3条第(2)款 |
The absence of an establishment in the Union does not necessarily mean that processing activities by a data controller or processor established in a third country will be excluded from the scope of the GDPR, since Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union, depending on their processing activities. | 在欧盟境内不存在实体并不一定意味着第三国的数据控制者或处理者进行的处理活动将不适用GDPR的规定。 GDPR第3条第(2)则针对设立于欧盟境外的控制者或处理者的适用条件作出规定。
|
In this context, the EDPB confirms that in the absence of an establishment in the Union, a controller or processor cannot benefit from the one-stop shop mechanism provided for in Article 56 of the GDPR. Indeed, the GDPR’s cooperation and consistency mechanism only applies to controllers and processors with an establishment, or establishments, within the European Union. | 在这种情况下,EDPB认为在欧盟境内没有实体的控制者或处理者不能受益于GDPR第56条规定的一站式管辖。实际上,GDPR的合作和一致性机制仅适用于在欧盟范围内拥有一个或多个实体的的控制者和处理者。 |
While the present guidelines aim to clarify the territorial scope of the GDPR, the EDPB also wish to stress that controllers and processors will also need to take into account other applicable texts, such as for instance EU or Member States’ sectorial legislation and national laws. | 尽管本指南旨在阐明GDPR的地域管辖范围,但EDPB仍希望强调,控制者和处理者还需要考虑其他适用的法律未见,例如欧盟或成员国的部门立法和国家法律。 |
Several provisions of the GDPR indeed allow Member States to introduce additional conditions and to define a specific data protection framework at national level in certain areas or in relation to specific processing situations. | GDPR的某些条款确实允许成员国在某些领域或与特定处理情况相关的条件下引入附加条件,制定特定的数据保护框架。 |
Controllers and processors must therefore ensure that they are aware of, and comply with, these additional conditions and frameworks which may vary from one Member State to the other. | 控制者和处理者因此必须确保他们了解并遵守这些附加条件和特殊数据保护框架。上述附加条件不同成员国存在不同规定。 |
Such variations in the data protection provisions applicable in each Member State are particularly notable in relation to the provisions of Article 8 ( providing that the age at which children may give valid consent in relation to the processing of their data by information society services may vary between 13 and 16), of Article 9 (in relation to the processing of special categories of data), Article 23 (restrictions) or concerning the provisions contained in Chapter IX of the GDPR (freedom of expression and information; public access to official documents; national identification number; employment context; processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; secrecy; churches and religious associations). | 其中就以下GDPR条款各成员国规定的差异较为明显:GDPR第8条关于信息社会服务中儿童可给予有效同意的年龄门槛(可能在13至16岁之间);第9条关于特殊类别数据的处理;第23条关于权利义务范围的限制或与GDPR第九章言论和信息自由所载规定有关的规定(包括言论和信息自由;公众查阅官方文件;居民身份证号码;就业背景;出于公共利益、科学、历史研究或统计目的的处理;秘密;教会和宗教协会)。 |
Article 3(2) of the GDPR provides that “this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; | GDPR第3条第(2)款规定,“本条例适用于由未在欧盟设立的控制方或处理方处理在欧盟内的数据主体的个人数据,如果处理活动涉及:(a)向欧盟境内的数据主体提供产品或服务,不论数据主体是否需要支付费用。或(b)对数据主体在欧盟境内的行为进行监控; |
The application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by processing activities carried out by a controller or processor not established in the Union which relate to two distinct and alternative types of activities provided that these processing activities relate to data subjects that are in the Union. | GDPR第3条第(2)款,规定了“目标指向标准”。欧盟境外的控制者或处理者的两种特定的与欧盟境内数据主题相关的处理行为可能处罚该条款的规定,从而受到GDPR的规制。 |
In addition to being applicable only to processing by a controller or processor not established in the Union, the targeting criterion largely focuses on what the “processing activities” are “related to”, which is to be considered on a case-bycase basis. | 除了仅适用于设立欧盟境外的控制者或处理者的处理之外,目标指向标准主要侧重于与“处理活动”“有关”的内容,并应进行个案分析。 |
The EDPB stresses that a controller or processor may be subject to the GDPR in relation to some of its processing activities but not subject to the GDPR in relation to other processing activities. | EDPB强调,控制者或处理者的某些处理行为可能受到GDPR 的约束,但其他处理行为不受GDPR额约束d。 |
The determining element to the territorial application of the GDPR as per Article 3(2) lies in the consideration of the processing activities in question. | GDPR关于地域管辖的第3条第(2)款是否适用的关键取决于有关的处理活动性质。
|
In assessing the conditions for the application of the targeting criterion, the EDPB therefore recommends a twofold approach, in order to determine first that the processing relates to personal data of data subjects who are in the Union, and second whether processing relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union. | 因此,在评估是否适用目标指向标准时,EDPB建议采用双重方法,首先确定处理是否与在欧盟境内的数据主体的个人数据有关;第二,处理是否与提供的产品或服务有关,或与监测数据主体在欧盟的行为有关。 |
a) Data subjects in the Union | a)欧盟境内的数据主体 |
The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. | 第3条第(2)款的措词是“欧盟境内数据主体的个人数据”。 |
The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed. | 因此,目标指向标准的适用不受正在处理个人数据对应的数据主体的公民身份、居住地或其他类型法律地位的限制。 |
Recital 14 confirms this interpretation and states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. | 序言第14条确认了这一观点,并指出“本条例所提供的保护适用于与其个人数据处理有关的自然人,不论其国籍或居住地如何,涉及其个人数据的处理”。 |
This provision of the GDPR reflects EU primary law which also lays down a broad scope for the protection of personal data, not limited to EU citizens, with Article 8 of the Charter of Fundamental Rights providing that the right to the protection of personal data is not limited but is for “everyone” | GDPR的这一规定反映了欧盟法律保护个人数据的广泛性,即不限于欧盟公民,《欧盟基本权利宪章》第8条规定,人人均享有个人数据得到保护的权利 |
While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), the EDPB considers that the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the Regulation. | 尽管数据主体位于欧盟境界是决定是否适用第3条第(2)款的决定因素,但EDPB认为,欧盟境内的数据主体的国籍或法律地位不能限制GDPR的地域管辖范围。 |
The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken. | 数据主体是否在欧盟境内必须在提供产品或服务,或在发生监测行为的语境下进行分析。提供产品或服务,或检测行为发生的时长在所不论。 |
The EDPB considers however that, in relation to processing activities related to the offer of services, the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. | 但是,EDPB认为,就与服务提供有关的处理活动而言,该规定针对的是有意而非无意或偶然地针对欧盟境内个人的活动。 |
Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR. | 因此,如果处理涉及仅向欧盟以外的个人提供的服务,但当这些个人进入欧盟境内时,服务并未撤回,则相关处理将不受GDPR的约束。 |
In this case the processing is not related to the intentional targeting of individuals in the EU but relates to the targeting of individuals outside the EU which will continue whether they remain outside the EU or whether they visit the Union. | 在这种情况下,这一行为并非故意指向欧盟境内的个人,而是指向欧盟境外的个人,无论这些个人是留在欧盟境外还是访问欧境内。 |
Example 8: An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service. Although the Australian subscriber will be using the service while in the EU, the service is not ‘targeting’ individuals in the Union, but targets only individuals in Australia, and so the processing of personal data by the Australian company does not fall within the scope of the GDPR. | 例8:澳大利亚某公司根据用户的喜好和兴趣提供移动新闻和视频内容服务。用户每日或每周收到更新。此项服务仅提供给位于澳大利亚的用户,用户在订阅时必须提供澳大利亚电话号码。 该服务的一位澳大利亚订阅者在德国度假期间继续使用该服务。 尽管该澳大利亚用户在欧盟境内期间继续使用该服务,但该服务并非针对欧盟内的个人,而是仅针对澳大利亚境内的个人,因此澳大利亚公司对个人数据的处理不属于GDPR的规制范围。 |
Example 9: A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. | 例9:某美国设立的初创企业,欧盟没有任何业务存在或经营场所。该公司为游客提供城市地图App。该App处理用户在特定城市使用该应用程序时的地理位置,以便就游客参观的地点提供周边的餐馆、酒吧和酒店等有定向广告。该App适用于游览纽约、旧金山、多伦多、伦敦、巴黎和罗马的游客。
|
The US start-up, via its city mapping application, is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2)a. Furthermore, by processing data subject’s location data in order to offer targeted advertisement on the basis of their location, the processing activities also relate to the monitoring of behaviour of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR as per Article 3(2)b. | 该美国企业通过其城市地图App,面向欧盟(特别是伦敦、巴黎和罗马)的数据主体提供了服务,所提供的其对欧盟境内数据主体的个人数据的处理活动与其面向欧盟数据主体提供的服务相关,根据第 3 条第 2 款受GDPR 约束。 |
The EDPB also wishes to underline that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behaviour (as further clarified below), must always be present in addition. | EDPB还希望强调,非欧盟控制者或处理者仅在欧盟境内处理个人数据的事实不足以触发GDPR的适用,必须始终存在“针对”欧盟境内的个人的这一要素,无论是通过向他们提供产品或服务,还是通过监视他们的行为(以下会详细描述)。 |
Example 10: A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market, evident by the app terms of use and the indication of US Dollar as the sole currency available for payment. The collection of the U.S. tourist's personal data via the app by the U.S. company is not subject to the GDPR. Moreover, it should be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is notrelated to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union. | 例10:一位美国公民在欧洲旅游度假期间下载并使用了某美国公司提供的新闻类App。从App的使用协议和将美元作为唯一可供支付货币来看,该App显而易见专门针对美国市场。这家美国公司通过App收集美国游客的个人数据不受GDPR的约束。 此外,只要处理过程不专门针对欧盟居民也不涉及对其在欧盟境内行为的监控,在第三国处理欧盟公民或居民的个人数据不会触发GDPR的应用。
|
Example 11: A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank's processing of the personal data of its German customers is not subject to the GDPR. | 例11:台湾的一家银行有居住在台湾但持有德国国籍的客户。该银行只在台湾开展业务,其活动不针对欧盟市场。该银行处理德国客户的个人数据不受GDPR的约束。
|
Example12: The Canadian immigration authority processes personal data of EU citizens when entering the Canadian territory for the purpose of examining their visa application. This processing is not subject to the GDPR. | 例12:加拿大移民局在入境时处理欧盟公民的个人信息,以审查他们的签证申请。此处理过程不受GDPR的约束。
|
b) Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union | b)向欧盟境内的数据主体提供产品或服务,无论是否需要数据主体对产品或服务进行付款。
|
The first activity triggering the application of Article 3(2) is the “offering of goods or services”, a concept which has been further addressed by EU law and case law, which should be taken into account when applying the targeting criterion. The offering of services also includes the offering of information society services, defined in point (b) of Article 1(1) of Directive (EU) 2015/1535[12]as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. | 触发GDPR第3条第(2)款适用的第一个行为是“提供产品或服务”,欧盟法律和判例对此作出了进一步阐释,在理解时应当参照上述说明的相关要求。提供服务也包括提供信息社会服务,在(欧盟)2015/1535号指令第1(1)条第(b)点将信息社会服务定义为“任何信息社会服务,也就是说,通常应服务接受者的个别要求,以电子方式远距离提供报酬的任何服务”。
|
Article3(2)(a) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether a payment by the data subject is required. Whether the activity of a controller or processor not established in the Union is to be considered as an offer of a good or a service is not therefore dependent whether payment is made in exchange for the goods or services provided[13]. | GDPR 第3条第(2)款(a)项规定,不论是否需要数据主体付款,关于提供货物或服务的目标指向标准均适用。因此,非在本欧盟境内设立的控制者或处理者的活动是否应被视为提供货物或服务并不取决于是否付款以换取所提供的产品或服务。
|
Example 13: A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in.
| 例13:一家在欧盟境内没有实体的美国公司处理临时出差到法国、比利时和荷兰的员工的个人资料,具体目的是报销他们的住宿费用和支付每日津贴,不同国家的报销额不同。 |
In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a. | 在这种情况下,虽然处理活动与欧盟境内的人员(即临时在法国,比利时和荷兰出差的员工)有特殊关系,但是它并不涉及向这些个人提供服务,而是雇主履行其合同义务和与个人就业有关的人力资源职责所必需的处理行为。这处理行为不涉及服务的提供务,因此不因第3条第(2)款(a)项而受GDPR的约束。
|
Another key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union. Recital 23 of the GDPR indeed clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” | 在确定能否满足第3条第(2)款(a)项的目标指向标准时,另一个需要评估的关键因素是货物或服务的提供是否针对欧盟境内的人,即控制者的处理目的和方式是否表明其向欧盟的数据主体提供产品或服务的意图。GDPR序言第23条明确阐释了“为了确定此类控制者或处理者是否向欧盟境内的数据主体提供商品或服务,应确定控制者或处理者是否明显想向欧盟内一个或多个成员国的数据主体提供服务。”
|
The recital further specifies that “whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.” | 序言进一步规定:“鉴于仅仅访问或联系控制者、处理者或者中间人的在欧盟的网站、电子邮件地址或者其联系方式或者使用控制者设有营业场所的第三国通常使用的语言,并不足以确定这样的动机,其他因素,诸如使用通常在一个或多个成员国内使用的语言或者货币并且可能以该其他语言订购商品或者服务,或者提及欧盟境内的客户或用户,可以明确反映控制者试图向欧盟境内的数据主体提供商品或者服务”。 |
The elements listed in Recital 23 echo and are in line with the CJEU case law based on Council Regulation 44/2001on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, and in particular its Article 15(1)(c). In Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09), the Court was asked to clarify what it means to “direct activity” within the meaning of Article 15(1)(c) of Regulation 44/2001 (Brussels I). The CJEU held that, in order to determine whether a trader can be considered to be “directing” its activity to the Member State of the consumer’s domicile, within the meaning of Article 15(1)(c) of Brussels I, the trader must have manifested its intention to establish commercial relations with such consumers. In this context, the CJEU considered evidence able to demonstrate that the trader was envisaging doing business with consumers domiciled in a Member State. | 序言第23条所列的要素呼应并符合欧盟关于民商事管辖权和判决的承认与执行第44/2001号条例判例法的相关规定,特别是关于第15条第(1)款(c)项的规定。在Pammer v. Reedere Karl Schlüter GmbH&Co和Hotel Alpenhof v. Heller(C-585 / 08和C-144 / 09)中,法院被要求解释欧盟第44/2001号条例第15条第(1)款(c)项所指的“指向性活动”的含义。欧盟法院认为,在第15条第(1)款(c)项的语境下,为了确定交易者是否 “直接”将其活动“指向”消费者住所的成员国的含义内,该交易者必须表明其与这些消费者建立商业关系的意图。在本案中,欧洲法院认为有证据表明该交易者想要与成员国内的消费者开展业务。
|
While the notion of “directing an activity” differs from the “offering of goods or services”, the EDPB deems this case law in in Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09) might be of assistance when considering whether goods or services are offered to a data subject in the Union. When taking into account the specific facts of the case, the following factors could therefore inter alia be taken into consideration, possibly in combination with one another: | 尽管“指向性活动”的概念不同于“提供商品或服务”,但EDPB认为Pammer v Reederei Karl Schlüter GmbH&Co和Hotel Alpenhof v Heller(C-585/08和C-144/09)的判例可能有助于认定是否向欧盟中的数据主体提供产品或服务。因此,在考虑到案件的具体事实时,可以考虑或结合考虑以下因素:
|
- The EU or at least one Member State is designated by name with reference to the good or service offered; - The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience ; - The international nature of the activity at issue, such as certain tourist activities; - The mention of dedicated addresses or phone numbers to be reached from an EU country; - The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”; - The description of travel instructions from one or more other EU Member States to the place where the service is provided; - The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers; - The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; - The data controller offers the delivery of goods in EU Member States. |
|
As already mentioned, several of the elements listed above, if taken alone may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union, however, they should each be taken into account in any in concreto analysis in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union. | 如前所述,如果单独列出上述几个要素,可能不足以明确表明数据控制者打算向欧盟的数据主体提供货物或服务。然而,在进行任何具体分析时都应考虑到这些因素,以便确定与数据控制者的商业活动相关的因素组合是否可以认定构成向欧盟数据主体的提供产品或服务。
|
It is however important to recall that Recital 23 confirms that the mere accessibility of the controller's, processor's or an intermediary's website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code,does not, of itself, provide sufficient evidence to demonstrate the controller or processor’s intention to offer goods or a services to a data subject located in the Union. In this context, the EDPB recalls that when goods or services are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the territorial scope of the GDPR. | 但是,序言第23条确认了仅在欧盟境内可以访问控制者,处理者或中间人的网站,在网站上提供电子邮件或地理地址,或共非国际代码的电话号码本身并不能充分证明控制者或处理者想要向位于欧盟中的数据主体提供商品或服务。在这种情况下,EDPB认为无意或偶然地向欧盟内的人提供货物或服务而处理个人数据的行为将不受GDPR的约束。
|
Example14: A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in fourlanguages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union. | 例14:某个在土耳其建立和管理的网站提供个性化家庭相册的创建,编辑,打印和运输服务。该网站提供英语,法语,荷兰语和德语版本,并且可以用欧元付款。该网站表明只能在法国,比荷卢三国和德国提供邮寄服务。 在本案中,很明显制作、编辑和印刷个性化家庭相册是欧盟法律意义上的服务。该网站以欧盟的四种语言提供服务,并且可以在六个欧盟成员国内邮寄相册,这表明土耳其网站有意向欧盟的个人提供服务。 因此土耳其网站作为数据控制者所进行的处理涉及向欧盟中的数据主体提供服务,因此依据GDPR第3条第(2)款(a)项的规定须受GDPR的约束并履行GDPR项下的义务。 根据GDPR第27条的规定,数据控制者必须在欧盟指定一名代表人。
|
Example 15: A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned. | 例15:摩纳哥某私营公司为支付工资而处理其雇员的个人数据。该公司员工大部分是法国和意大利居民。 在这种情况下,虽然该公司进行的处理涉及法国和意大利的数据主体,但并非在提供产品或服务的情况下进行。事实上,人力资源管理,包括第三国公司的工资支付,不能被认定为第3条第(2)款(a)项所指的提供服务。该处理行为不是向欧盟境内数据主体提供货物或服务(也不涉及对行为的监控),按照第3条的规定因此不受GDPR第的约束。前述分析不影响第三国有关法律的适用。
|
Example 16: A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency. As there is no distinction or specification for students from the Union in the application and selection process for this Master degree, it cannot be established that the Swiss University has the intention to target students from a particular EU member states. The sufficient level of German and English is a general requirement that applies to any applicant whether a Swiss resident, a person in the Union or a student from a third country. Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing in question relates to the offer of an education service to data subject in the Union, and such processing will therefore not be subject to the GDPR provisions. The Swiss University also offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such service to data subjects who are in the Union, and the GDPR will apply to the related processing activities. | 例16:苏黎世某瑞士大学提供在线平台以选拔硕士学位。候选人可以上传其简历、求职信以及联系方式。任何具有充足德语和英语水平并持有学士学位的学生均可参加选拔。这所大学并没有向欧盟境内大学的学生做特别宣传,也只接受瑞士货币的支付。 由于在本硕士学位的申请和遴选过程中没有对来自欧盟的学生进行区分或说明,因此无法确定瑞士大学有意针对特定欧盟成员国的学生。足够的德语和英语水平是适用于任何申请人的一项一般要求,无论该申请人是瑞士居民,欧盟人员还是来自第三国的学生。如果没有其他因素表明欧盟成员国学生的具体目标,那么就不能确定所涉及的处理与向欧盟数据主体提供教育服务有关,因此此类处理将不受GDPR规定的约束。 瑞士大学还提供国际关系暑期课程,并专门在德国和奥地利的大学中宣传此课程,以最大程度地提高课程的出勤率。在这种情况下,瑞士大学明确打算向欧盟中的数据主体提供此类服务,GDPR将适用于相关的处理活动。
|
c) Monitoring of data subjects’ behaviour | c)监控数据主体的行为 |
The second type of activity triggering the application of Article 3(2) is the monitoring of data subject behaviour as far as their behaviour takes place within the Unon. | 触发适用第3条第(2)款的第二类活动是对数据主体在欧盟内行为的监控。 |
Recital 24 clarifies that “[t]he processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.” | 序言第24条阐明:“非欧盟境内内设立的控制者或处理者处理欧盟内数据主体的个人数据时,如果涉及对此类数据主体在欧盟内行为的监控,则也应遵守本条例。”
|
For Article 3(2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union. | 根据第3条第(2)款(b)项的规定,所监控的行为必须首先与欧盟内的数据主体有关,且所监控的行为必须在欧盟境内发生,二者须同时满足。
|
The nature of the processing activity which can be considered as behavioural monitoring is further specified in Recital 24 which states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” While Recital 24 exclusively relates to the monitoring of a behaviour through the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices. | 监控主体行为的处理活动的性质在序言第24条中作了进一步的规定,其中要求“为了确定是否可以将处理活动视为监控数据主体的行为,应查明是否在互联网上对自然人进行跟踪,包括随后可能使用的个人数据处理技术,这些技术包括对自然人进行特征分析,特别是为了对自然人作出决定,或分析或预测自然人的个人偏好、行为和态度。”虽然序言第24条指向的是通过跟踪互联网上的人来监控行为,但EDPB认为,在确定处理活动是否属于对主题活动的监控时,还应考虑通过其他类型网络或技术进行跟踪的个人数据处理,例如,通过可穿戴设备和其他智能设备。 |
As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behaviour, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration. | 与GDPR第3条第(2)款(a)项的规定相反,GDPR第3条第(2)款(b)项或序言第24条均未明确规定数据控制者或处理者具有"目标指向"的必要程度,以确定监控活动是否会引起 GDPR的适用。但是,“监控”一词的使用意味着控制者有一个特定的目的,即收集和再利用在欧盟境内的个人行为的相关数据。EDPB认为在线收集或分析欧盟境内的个人数据不会自动被视为“监控”。这将有必要考虑控制者处理数据的目的,特别是涉及该数据的任何后续行为分析或识别分析技术。EDPB钻研了第24条的措辞,该措辞表明要确定数据处理是否涉及监控数据主体的行为,对互联网上自然人的跟踪(包括随后可能使用的识别分析技术)是关键考虑因素。 |
The application of Article 3(2)(b) where a data controller or processor monitors the behaviour of data subjects who are in the Union could therefore encompass a broad range of monitoring activities, including in particular: - Behavioural advertisement - Geo-localisation activities, in particular for marketing purposes - Online tracking through the use of cookies or other tracking techniques such as fingerprinting - Personalised diet and health analytics services online - CCTV - Market surveys and other behavioural studies based on individual profiles - Monitoring or regular reporting on an individual’s health status | 因此,根据第3条第(2)款(b)项的规定,数据控制者或处理者监控在欧盟境内数据主体的行为可包括广泛的监控活动,特别是包括:
|
Example 17: A retail consultancy company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.The analysis of a customers’ movements within the centre through Wi-Fi tracking will amount to the monitoring of individuals’ behaviour. In this case, the data subjects’ behaviour takes place in the Union since the shopping centre is located in France. The consultancy company, as a data controller, is therefore subject to the GDPR in respect of the processing of this data for this purpose as per its Article 3(2)(b). In accordance with Article 27, the data controller will have to designate a representative in the Union. | 例17:在美国成立的零售咨询公司通过Wi-Fi追踪收集顾客在购物中心的移动情况,为法国某购物中心提供零售布局方面的建议。通过Wi-Fi追踪分析顾客在购物中心内的活动相当于监控主体的活动。在本例中,由于购物中心位于法国,故数据对象的行为发生在欧盟境内。因此,作为数据控制者的该资讯公司以此为目的处理该等数据时,须根据GDPR第3条第(2)款(b)项的规定受GDPR约束。 根据GDPR第27条的规定,该数据控制者美国咨询公司必须在欧盟境内指定一位代表人。 |
Example18: An app developer established in Canada with no establishment in the Union monitors the behaviour of data subject in the Union and is therefore subject to the GDPR, as per Article 3(2)b. The developer uses a processor established in the US for the app optimisation and maintenance purposes. | 例18:某设立于加拿大,在欧盟境内没有实体的App开发者监控欧盟境内数据主体的行为,因此根据GDPR第 3条第(2)款(b)项的规定受GDPR的约束。该App开发者使用在美国设立的处理者进行应用优化和维护。 |
In relation to this processing, the Canadian controller has the duty to only use appropriate processors and to ensure that its obligations under the GDPR are reflected in the contract or legal act governing the relation with its processor in the US, pursuant to Article 28. | 就委托处理的行为而言,加拿大数据控制者有义务仅使用合适的处理者,确保其履行GDPR第28条项下的义务,并反映在管理其与美国处理者关系的合同或法律行为中。 |
d)Processor not established in the Union | d)设立在欧盟境外的数据处理者 |
Processing activities which are “related” to the targeting activity which triggered the application of Article 3(2) fall within the territorial scope of the GDPR. The EDPB considers that there needs to be a connection between the processing activity and the offering of good or service, but both processing by a controller and a processor are relevant and to be taken into account. | 如果处理活动与GDPR第3条第(2)款要求的目标指向活动“相关”的处理,则应受GDPR的规制。EDPB认为处理活动和提供产品或服务之间需要有联系,但是需要考虑控制者和处理者的处理活动是否均是相关的。 |
When it comes to a data processor not established in the Union, in order to determine whether its processing may be subject to the GDPR as per Article 3(2), it is necessary to look at whether the processing activities by the processor “are related” to the targeting activities of the controller. | 对于设立在欧盟境外的数据处理者,为了确定其数据处理是否符合GDPR第3条第(2)款的规定,有必要审查处理者的数据处理活动是否与控制者的目标活动“相关”。 |
The EDPB considers that, where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals’ behaviour in the Union (‘targeting’), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3(2) in respect of that processing. | EDPB认为,如果数据控制者的数据处理活动涉及商品或服务的提供或对个人在联盟中行为的监控(“目标指向”),则根据第3条第(2)款的规定,任何指示其代表控制者执行该处理活动的处理者均属于GDPR的适用范围。
|
The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be made by an entity acting as a controller. Such interpretation does not rule out the possibility that the processor may actively take part in processing activities related to carrying out the targeting criteria (i.e. the processor offers goods or services or carries out monitoring actions on behalf of, and on instruction from, the controller). | 数据处理活动的“目标指向”性质与其目的和方法有关;只有作为数据控制者的实体才能决定是否将欧盟境内的个人作为目标。这样的解释并不排除处理者将积极参加与目标指向相关的数据处理活动(即处理者接受控制者的指令、代控制者提供产品或服务或实施监控主体行动)的可能性。 |
The EDPB therefore considers that the focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller. | 因此,EDPB认为重点应是处理者执行的处理活动与数据控制者执行的目标指向活动之间的关联。 |
Example 19: A Brazilian company sells food ingredients and local recipes online, making this offer of good available to persons in the Union, by advertising these products and offering the delivery in the France, Spain and Portugal. In this context, the company instructs a data processor also established in Brazil to develop special offers to customers in France, Spain and Portugal on the basis of their previous orders and to carry out the related data processing. Processing activities by the processor, under the instruction of the data controller, are related to the offer of good to data subject in the Union. Furthermore, by developing these customized offers, the data processor directly monitors data subjects in the EU. Processing by the processor are therefore subject to the GDPR, as per Article 3(2). | 例19:某巴西公司在网上销售食品配料和当地食谱向欧盟境内让居民提供产品。该公司采取投放广告的措施,并在法国,西班牙和葡萄牙提供送货服务。在本案中,公司指示同样在巴西设立的数据处理者基于法国、西班牙和葡萄牙的客户之前的订单开发特别优惠,进行相关的数据处理。 处理者在控制者的指令下进行的处理活动与向联盟境内的数据主体提供货物有关。此外,通过开发这些定制的报价,数据处理者可以直接监视欧盟中的数据主体。因此,根据第3条第(2)款,处理者的数据处理活动应受GDPR的管辖。 |
Example 20: A US company has developed a health and lifestyle app, allowing users to record with the US company their personal indicators (sleep time, weight, blood pressure, heartbeat, etc…). The app then provide users with daily advice on food and sport recommendations. The processing is carried out by the US data controller. The app is made available to, and is used by, individuals in the Union. For the purpose of data storage, the US company uses a processor established in the US(cloud service provider) To the extent that the US company is monitoring the behaviour of individuals in the EU, in operating the health and lifestyle app it will be ‘targeting’ individuals in the EU and its processing of the personal data of individuals in the EU will fall within the scope of the GDPR under Art 3(2). In carrying out the processing on instructions from, and on behalf of, the US company the cloud provider/processor is carrying out a processing activity ‘relating to’ the targeting of individuals in the EU by its controller. This processing activity by the processor on behalf of its controller falls within the scope of the GDPR under Art 3(2). | 例20:某美国公司开发了一款健康和生活方式App,允许用户记录他们的个人指标(睡眠时间、体重、血压、心跳等)。然后,该App为用户提供每日的饮食和运动建议。处理由美国数据控制者执行。该App提供给欧盟境内的个人使用。在数据存储方面,美国公司使用在美国设立的处理者(云服务提供商) 在运行该App时,它将“瞄准”欧盟境内的个人,构成对欧盟境内个人的监控,从而根据GDPR第3条第(2)款须受GDPR的约束。 在根据美国公司的指示并代表该公司进行处理时,该云服务商/处理者正在执行的处理活动与其控制者针对欧盟的个人目标指向活动“相关”。根据GDPR第3条第(2)款的规定,处理者代表其数据控制者进行的数据处理活动属于GDPR的规制范围。 |
Example 21: A Turkish company offers cultural package travels in the Middle East with tour guides speaking English, French and Spanish. The package travels are notably advertised and offered through a website available in the three languages, allowing for online booking and payment in Euros and GBP. For marketing and commercial prospection purposes, the company instructs a data processor, a call center, established in Tunisia to contact former customers in Ireland, France, Belgium and Spain in order to get feedback on their previous travels and inform them about new offers and destinations. The controller is ‘targeting’ by offering its services to individuals in the EU and its processing will fall within the scope of Art 3(2). The processing activities of the Tunisian processor, which promotes the controllers’ services towards individuals in the EU, is also related to the offer of services by the controller and therefore falls within the scope of Art 3(2). Furthermore, in this specific case, the Tunisian processor actively takes part in processing activities related to carrying out the targeting criteria, by offering services on behalf of, and on instruction from, the Turkish controller. | 例21:某土耳其公司提供中东文化旅游服务,导游会说英语、法语和西班牙语。该旅游服务通过三种语言在网站上宣传并提供该服务。该网站允许在线预订,支持欧元和英镑的支付。出于营销和商业前景的考虑,该公司指示一个设在突尼斯的数据处理者(一个呼叫中心)联系以前在爱尔兰、法国、比利时和西班牙的客户,以便获得他们对旅行的反馈,并告知他们新的优惠和对应的目的地。控制者的“目标”是通过向欧盟的个人提供服务,根据GDPR第3条第(2)款其处理将属于GDPR的规制范围。 突尼斯处理者的数据处理活动促进了数据控制者对欧盟境内个人的服务,也与控制者提供的服务相关联,因此根据GDPR第3条第(2)款其处理也属于GDPR的规制范围。此外,在本案中,突尼斯的处理者积极参与与控制者目标指向相关的处理活动,代表土耳其控制者并根据其指示提供服务。 |
e) Interaction with other GDPR provisions and other legislations | e)与其他GDPR条款和其他法律的相互作用 |
The EDPB will also further assess the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V. Additional guidance may be issued in this regard, should this be necessary. | EDPB还将进一步评估根据第3条适用的GDPR领域范围与根据第五章关于国际数据传输的规定之间的相互作用。如有必要,可能会就此发布额外的指导意见。 |
Controllers or processors not established in the EU will be required to comply with their own third country national laws in relation to the processing of personal data. However, where such processing relates to the targeting of individuals in the Union as per Article 3(2) the controller will, in addition to being subject to its country’s national law, be required to comply with the GDPR. This would be the case regardless of whether the processing is carried out in compliance with a legal obligation in the third country or simply as a matter of choice by the controller. | 在处理个人数据方面,设立在欧盟境外的第三国控制者或处理者须遵守其本国法律。但是,如果这种处理根据GDPR第3条第(2)款涉及针对联盟境内的个人,则除要遵守其国家/地区的法律外,控制者还必须遵守GDPR的规定。不管处理是按照第三国的法律义务进行的,还是仅仅是由控制者选择而进行的处理,情况都是如此。 |
3 PROCESSING IN A PLACE WHERE MEMBER STATE LAW APPLIES BY VIRTUE OF PUBLIC INTERNATIONAL LAW | 3在成员国法律因国际公法而适用的GDPR进行数据处理 |
Article 3(3) provides that “[t]his Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”. This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post. ” | 第3条第(3)款规定:“本条例适用于非设立于欧盟境内但根据国际公法的规定适用成员国法律的数据控制者所进行的个人数据处理行为。” 在第25条立法理由中对该条款进行了扩展,该条规定:“当成员国法律因国际公法而适用时,本条例也应适用于非设立于欧盟境内的数据控制者,如成员国的大使馆或者领事馆。” |
The EDPB therefore considers that the GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates located outside the EU as such processing falls within the scope of the GDPR by virtue of Article 3(3).. A Member State’s diplomatic or consular post, as a data controller or processor, would then be subject to all relevant provisions of the GDPR, including when it comes to the rights of the data subject, the general obligations related to controller and processor and the transfers of personal data to third countries or international organisations. | 因此,EDPB认为GDPR适用于欧盟成员国驻欧盟以外的的使领馆进行的个人数据处理,因为根据第3条第(3)款,此类处理属于GDPR的范围。成员国的外交或领事机构作为数据控制者或处理者,将须遵守GDPR的所有有关规定,包括涉及数据主体的权利、与控制者和处理者有关的一般义务以及向第三国或国际组织传输个人数据。 |
Example 22: The Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate in Kingston, Jamaica, is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data, as per Article 3(3). | 例22:荷兰驻牙买加金斯敦领事馆为征聘当地工作人员开设了在线申请流程,以支持其行政管理。虽然荷兰驻牙买加金斯敦的领事馆设立在欧盟境外,但它是欧盟成员国的领事馆,根据第3条第(3)款的规定,依据国际公法适用成员国法律,从而GDPR 适用该领事馆对个人数据的处理。 |
Example 23: A German cruise ship travelling in international waters is processing data of the guests on board for the purpose of tailoring the in-cruise entertainment offer. While the ship is located outside the Union, in international waters, the fact that it is German registered cruise ship means that by virtue of public international law the GDPR shall be applicable to its processing of personal data, as per Article 3(3). | 例23:在国际水域旅行的某德国游轮处理船上客人的数据,以便定制邮轮内娱乐优惠。虽然该船舶位于欧盟以外国际水域,但该国是德国注册的游轮这一事实意味着,根据第3条第(3)款的规定,依据国际公法适用成员国法律,从而GDPR 适用该游轮对个人数据的处理。 |
Though not related to the application of Article 3(3), a different situation is the one where, by virtue of international law, certain entities, bodies or organisations established in the Union benefit from privileges and immunities such as those laid down in the Vienna Convention on Diplomatic Relations of 1961 27, the Vienna Convention on Consular Relations of 1963 or headquarter agreements concluded between international organisations and their host countries in the Union. In this regard, the EDPB recalls that the application of the GDPR is without prejudice to the provisions of international law, such as the ones governing the privileges and immunities of non-EU diplomatic missions and consular posts, as well as international organisations. At the same time, it is important to recall that any controller or processor that falls within the scope of the GDPR for a given processing activity and that exchanges personal data with such entities, bodies and organisations have to comply with the GDPR, including where applicable its rules on transfers to third countries or international organisations. | 虽然与GDPR第3条第(3)款的适用无关,但根据1961年《维也纳外交关系公约》、1963年《维也纳领事关系公约》或国际组织与所在国在欧盟缔结的总部协定国际法的规定,在欧盟境内设立的某些实体、机构或组织享有特权和豁免。在此方面,EDPB认为GDPR的适用并不影响国际法的规定,例如关于非欧盟外交使团和领事馆以及国际组织的特权和豁免的规定。同时,必须强调任何属于GDPR 关系范围以及与此类实体、机构和组织交换个人数据的控制者或处理者必须遵守 GDPR,包括其向第三国或国际组织传输数据(如适用)的规则。 |
4 REPRESENTATIVE OF CONTROLLERS OR PROCESSORS NOT ESTABLISHED IN THE UNION | 4 设立与欧盟境外的控制者或处理者的代表人 |
Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation. | 根据GPDR第3条第(2)款的规定,受GDPR约束的数据控制者或处理者有义务在欧盟境内中指定一名代表人。因此,未在联盟内设立但受GDPR约束的控制者或处理者如未能在联盟内指定代表将违反该条例。 |
This provision is not entirely new since Directive 95/46/EC already provided for a similar obligation. Under the Directive, this provision concerned controllers not established on Community territory that, for purposes of processing personal data, made use of equipment, automated or otherwise, situated on the territory of a Member State. The GDPR imposes an obligation to designate a representative in the Union to any controller or processor falling under the scope of Article 3(2), unless they meet the exemption criteria as per Article 27(2). In order to facilitate the application of this specific provision, the EDPB deems it necessary to provide further guidance on the designation process, establishment obligations and responsibilities of the representative in the Union as per Article 27. | 这并不是一项全新的规定,因为95/46/EC指令已经规定了类似的义务。根据该指令,本条所述的控制者并非在共同体领土内设立,而该等控制者为处理个人数据使用位于成员国领土内的自动化或其他设备。除符合第27条第(2)款规定的豁免标准外,根据第3条第(2)款而受GDPR约束的任何控制者或处理者需在欧盟境内指定代表人。为了便利这一具体规定的适用,EDPB认为有必要根据第27条对欧盟代表的指定程序、设立义务和责任提供进一步的指导。 |
It is worth noting that a controller or processor not established in the Union who has designated in writing a representative in the Union, in accordance with article 27 of the GDPR, does not fall within the scope of article 3(1), meaning that the presence of the representative within the Union does not constitute an “establishment” of a controller or processor by virtue of article 3(1). | 值得注意的是,设立在欧盟境外的数据控制者或处理者应在欧盟境内指定一名代表。这不属于第3条第(1)款的范围,换言之在欧盟境内的代表不会导致成立了GDPR第3条第(1)款所定义的“实体”。 |
a) Designation of a representative | a) 指定代表人 |
Recital 80 clarifies that “[t]he representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.” | 序言第80条阐明:“数据控制者或处理者应当以书面授权方式明确指定其代表人以代表其履行本条例项下的义务。指定代表人并不影响数据控制者或处理者在本条例项下的义务与责任。该代表人应根据从数据控制者或处理者处获得的授权执行任务,包括与有权监管机构合作,实施任何确保遵守本条例的活动。” |
The written mandate referred to in Recital 80 shall therefore govern the relations and obligations between the representative in the Union and the data controller or processor established outside the Union, while not affecting the responsibility or liability of the controller or processor. The representative in the Union may be a natural or a legal person established in the Union able to represent a data controller or processor established outside the Union with regard to their respective obligations under the GDPR. | 因此,在不影响数据控制者或处理者在GDPR项下的义务与责任的条件下,欧盟境外数据控制者或数据处理者应当按照引言第80条的要求以书面授权的方式在欧盟境内明确指定其代表人。该控制者或处理者与代表人之间的关系以及各自的义务应当参照该书面授权的规定。在欧盟境内的代表人既可以是自然人也可以是法人。该代表人应当有能力担任欧盟境外的数据控制者或处理者履行GDPR项下的义务时的代表。 |
In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation, and can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, private companies, etc... provided that such entities are established in the Union. One representative can also act on behalf of several non-EU controllers and processors. | 在实践中,欧盟境内代表的职能可以依据与欧盟境外数据控制者或处理者之间订立的服务协议行使,因此可以由各种不同类别的商业或非商业实体担任,例如律师事务所、咨询公司、私人企业等,只要该等实体设立在欧盟境内。同一实体可以担任多家欧盟境外数据控制者或数据处理者在欧盟境内的代表。 |
When the function of representative is assumed by a company or any other type of organisation, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented. It would generally also be useful to specify these points in the service contract. | 如果该代表是由公司或其他类型的组织担任的,我们推荐制定某一个人担任主要联络人,“负责”其代表的数据控制者或处理者。通常而言有必要在服务协议中明确这一点。 |
In line with the GDPR, the EDPB confirms that, when several processing activities of a controller or processor fall within the scope of Article 3(2) GDPR (and none of the exceptions of Article 27(2) GDPR apply), that controller or processor is not expected to designate several representatives for each separate processing activity falling within the scope of article 3(2).The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”28. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction29. The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner. | 根据GDPR的规定,EDPB认为,在控制者或处理者的处理行为适用GDPR第3条第(2)款的规定(且不适用GDPR第27条第(2)款规定的豁免)的情况下,该控制者或处理者无须为不同的处理行为任命多名代表。EDPB认为,欧盟境内代表人的职责不等于在欧盟中设立的外部DPO的职责。GDPR第38条第3款为DPO履行其职责拥有足够的自治权规定了一些基本保障,特别是要求控制者或处理者应当确保“DPO不会收到任何有关执行其工作任务的指示”。此外,引言第97条规定,DPO“无论是否是控制者的雇员,都应当独立履行其义务与职责”。这种对DPO足够的自治权和独立权的规定似乎与欧盟境内代表人的职能不一致。代表人受制于控制者或处理者的委托,代表其行事,并因此受其直接指导,与DPO独立处理工作的要求不一致。 |
Furthermore, and to complement its interpretation, the EDPB recalls the position already taken by the WP29 stressing that “a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”30. | 此外,为补充说明这一解释,EDPB回顾了第29条工作组的立场,并强调“如果在诸如涉及数据保护的案例中要求外部DPO在法庭上代表控制人或处理人,也可能会产生利益冲突”。 |
Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance. | 同样,鉴于在执法程序中可能存在的义务和利益冲突,EDPB不认为数据控制者欧盟境内代表人的作用与该控制者的DPO的作用相一致,特别是在职责和合规性方面。 |
While the GDPR does not impose any obligation on the data controller or the representative itself to notify the designation of the latter to a supervisory authority, the EDPB recalls that, in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall for example be included in the [privacy notice and] upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR. Such information should furthermore be easily accessible to supervisory authorities in order to facilitate the establishment of a contact for cooperation needs. | 尽管GDPR并没有要求数据控制者或其代表人有义务将对代表人的任命通知监管机构,但EDPB认为,根据GDPR第13条第(1)款a项和第14条第(1)款a向的规定,数据控制者应当将对代表人的任命以及代表人的身份告知数据主体,以履行其告知义务,例如通过隐私政策等形式在收集数据之前告知数据主体。设立在欧盟境外且符合第3条第(2)款的适用条件的控制者未能告知用户该等代表人的的存在以及身份的行为则违反了GDPR规定的透明性原则。 |
Example 24: The website referred to in example 12, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the France, Benelux countries and Germany. This website being subject to the GDPR, as per its Article 3(2)(a), the data controller must designate a representative in the Union. | 例24:在例12中提及了某设立并在土耳其进行管理的网站提供定制化家庭相册的创建、编辑、打印和寄送服务。该网站提供英语、法语、荷兰语和德语的版本,且支持欧元或英镑付款。该网站声明,仅支持将相册在英国、法国、比荷卢经济欧盟国家和德国境内的邮递。根据GDPR第3条第(2)款(a)项的规定,该网站受GDPR的约束,并应当在欧盟境内指定一名代表人。 |
The representative must be established in one of the Member States where the service offered is available, in this case either in France, Belgium, Netherlands, Luxembourg or Germany. The name and contact details of the data controller and its representative in the Union must be part of the information made available online to data subjects once they start using the service by creating their photo album. It must also appear in the website general privacy notice. | 代表人必须设立在服务接受方的其中一个欧盟成员国内,根据本案例的细节,即网站应当选择在英国、法国、比利时、荷兰、卢森堡或德国境内指定一名代表。数据控制者及其欧盟境内代表的名称和联系方式必须在数据主体开始创建其相册前在线告知该数据主体,并写入网站的一般隐私声明中。 |
b) Exemptions from the designation obligation | b)指定代表义务的免除 |
While the application of Article 3(2) triggers the obligation to designate a representative in the Union for controllers or processors established outside the Union, Article 27(2) foresees derogation from the mandatory designation of a representative in the Union, in two distinct cases: | 尽管GDPR第3条第(2)款要求于设立于欧盟境外的数据控制者或处理者应当在欧盟境内指定一名代表,但GDPR第27条第(2)款规定了两种豁免情形:
|
• processing is “occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”. |
|
In line with positions taken previously by the Article 29 Working Party, the EPDB considers that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor32. | 参考第29条工作组的立场,EPDB认为处理活动只有在如下情况下才能被认定为“偶尔发生的”,即数据处理不是定期进行的,且在控制者或处理者的日常经营范围之外。 |
Furthermore, while the GDPR does not define what constitutes large-scale processing, the WP29 has previously recommended in its guidelines WP243 on data protection officers (DPOs) that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned - either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity33. | 此外,尽管GDPR并未明确定义什么是对个人数据的大规模处理,但第29条工作组先前在关于DPO的WP243指南中建议,在认定是否属于大规模处理时应当考虑如下因素:所涉数据主体的数量—具体数额或所占人口的比例;数据体量和/或正在被处理的不同数据的范围;数据处理活动进行的时长或持续性;以及数据处理活动的地理范围。 |
Finally, the EDPB highlights that the exemption from the designation obligation as per Article 27 refers to processing “unlikely to result in a risk to the rights and freedoms of natural persons”34, thus not limiting the exemption to processing unlikely to result in a high risk to the rights and freedoms of data subjects. In line with Recital 75, when assessing the risk to the rights and freedom of data subjects, considerations should be given to both the likelihood and severity of the risk. | 最后,EDPB强调GDPR第27条的豁免适用的情形是“对自然人的权利和自由产生风险的可能性较小”的处理行为,即不将豁免局限在不会对数据主体的权利和自由产生高风险的处理行为。根据引言第75条的建议,在评估对数据主体权利和自由的风险时,应当同时考虑风险发生的可能性和严重性。 |
Or processing is carried out “by a public authority or body”. | 或者: 该等处理是由“公共机关或团体”进行的。 |
The qualification as a “public authority or body” for an entity established outside the Union will need to be assessed by supervisory authorities in concreto and on a case by case basis35. The EDPB notes that, given the nature of their tasks and missions, cases where a public authority or body in a third country would be offering goods or services to data subject in the Union, or would monitor their behaviour taking place within the Union, are likely to be limited. | 欧盟境外组织是否构成“公共机关或团体”须由监管机构根据个案的具体情况进行具体分析。EDPB认为,考虑到监管机构的任务和目标的性质,第三国组织以公共机关或团体的身份向欧盟境内数据主体提供商品或服务,或监督数据主体在欧盟境内活动的情况较为少见。 |
c) Establishment in one of the Member States where the data subjects whose personal data are processed | c)在被处理的个人信息对应的数据主体所在国设立 |
Article 27(3) foresees that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”. In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored. | GDPR第27条第(3)款规定,“代表人应当在拟向其提供或服务而处理的个人信息或监控其行为的数据主体所在的成员国之一设立”。如果被处理的数据对应的数据主体大部分位于某一个特定成员国,作为良好实践,EDPB推荐该代表人设立在该特定成员国。但是,如果数据主体被提供商品或服务,或其行为被监控,但其所在国没有设立代表人的,则应当保证该等数据主体可以轻易联络到该代表人。 |
The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative. | EPDB认定,设立代表人的国别的选择标准为正在被处理的个人数据对应的数据主体所在的国家。数据处理行为所在地(即便在另一个成员国进行)不是选择代表人设定国别的考虑因素。 |
Example 25: An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by investigators (hospitals) in Belgium, Luxembourg and the Netherlands. The majority of patients participating to the clinical trials are situated in Belgium. The Indian pharmaceutical company, as a data controller, shall designate a representative in the Union established in one of the three Member States where patients, as data subjects, are participating in the clinical trial (Belgium, Luxembourg or the Netherlands). Since most patients are Belgian residents, it is recommended that the representative is established in Belgium. Should this be the case, the representative in Belgium should however be easily accessible to data subjects and supervisory authorities in the Netherlands and Luxembourg. In this specific case, the representative in the Union could be the legal representative of the sponsor in the Union, as per Article 74 of Regulation (EU) 536/2014on clinical trials, provided that it does not act as a data processor on behalf of the clinical trial sponsor, that it is established in one of the three Member States, and that both functions are governed by and exercised in compliance with each legal framework. | 例25:印度一家制药公司在欧盟既不存在业务,也没有实体,但根据GDPR第3条第(2)款的规定,须受GDPR的约束。该公司赞助了在比利时、卢森堡和荷兰的研究人员(医院)开展临床试验。参与临床试验的大多数患者位于比利时。 该印度制药公司作为数据控制者,应当在作为数据主体的参与临床试验所在的三个成员国(比利时、卢森堡或荷兰)之一指定欧盟境内的代表人。由于带多数患者是比利时公民,因此建议该代表人设立在比利时。在这种情况下,应当保证荷兰和卢森堡的数据主体和监管机构可以方便地联络到该位于比利时的代表人。 在此案例中,根据欧盟临床试验条例(Regulation (EU) 536/2014)第74条的规定,欧盟境内的代表可以是欧盟境界内赞助商的法定代表人,但前提是必须在三个成员国之一设立,且代表人职能的行使须符合各个成员国的法律规定。 |
c) Obligations and responsibilities of the representative | c) 代表人的责任和义务 |
The representative in the Union acts on behalf of the controller or processor it represents with regard to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard and as already stated, the identity and contact details of therepre sentative must be provided to data subjects in accordance with articles 13 and 14. While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective. | 代表人负责在欧盟境内以控制者或处理者代表该组织履行在GDPR项下的义务,特别是与数据主体权利相关的义务。如上所述,组织应当根据第13条和第14条的要求,将该代表人的身份和联络信息告知数据主体。尽管代表人不负责响应数据主体的权利主张,该代表人应当促进与数据主体和其代表的控制者或控制者之间的沟通,以保障数据主体权利的有效行使。 |
As per Article 30, the controller or processor’s representative shall in particular maintain a record of processing activities under the responsibility of the controller or processor. The EDPB considers that, while the maintenance of this record is an obligation imposed on both the controller or processer and the representative,, the controller or processor not established in the Union is responsible for the primary content and update of the record and must simultaneously provide its representative with all accurate and updated information so that the record can also be kept and made available by the representative at all time At the same time, it is the representative ́s own responsibility to be able to provide it in line with Article 27, e.g. when being addressed by a supervisory authority according to Art. 27(4). | 根据GDPR第30条的规定,控制者或者处理者的代表应当注意保留其所代表的控制者或处理者处理数据的记录。EDPB认为,尽管控制者或处理者及其欧盟境内代表人均负有保留对数据处理活动的记录的义务,设立在欧盟境外的控制者或处理者对主要内容以及对记录的更新负责,并应将所有准确和更新后的信息实时提供给欧盟境内代表人,以便该代表人履行其记录义务。同时当发生GDPR第27条第(4)款规定的特殊情形时,例如监管机关授权代表人处理与数据处理有关的争议,欧盟境内的代表人则全权负责根据GDPR第27条规定,履行上述义务。 |
As clarified by recital 80, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union. | 引言第80条的规定,该代表应当根据控制者或处理者书面授权的内容履行其职责,包括配合有权的监管机关要求履行GDPR项下的义务。 在实践中,监管机构可能就欧盟境外控制者或处理者的数据合规的任何事项联络该代表人,该代表人应当促进监管机构和境外控制者或处理者之间任何信息上或程序上的交流。 |
With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication should in principle take place in the language or languages used by the supervisory authorities and the data subjects concerned or, should this result in a disproportionate effort, that other means and techniques shall be used by the representative in order to ensure the effectiveness of communication. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor. In line with Recital 80 and Article 27(5), the designation of a representative in the Union does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union. | 如有必要,在团队的帮助下,欧盟境内代表人须与数据主体进行有效沟通,并配合监管机构的工作。此类沟通原则上应当使用监管机构和相关数据主体使用的一种或多种语言进行。如此类沟通将带来不合理的负担,代表人应当采取其他方式和技术以确保有效沟通。因此代表人沟通的便利性对于确保数据主体和监管机构与非欧盟控制者或处理者的方便沟通至关重要。根据GDPR引言第80条和第27条第(5)款的规定,在欧盟境内指定代表人并不影响控制者或处理者在GDPR项下的责任和义务,且不影响对该控制者或处理者本身提起法律诉讼。GDPR并没有对欧盟境内代表人为控制者或处理者履行替代责任作出规定 |
It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative, in accordance with articles 58(2) and 83 of the GDPR. The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR | 应当指出的是,GDPR中引入代表人制度的目的是促进与因GDPR第3条第(2)款而受到GDPR约束的控制者或处理者之间的沟通并保证GDPR的有效执行。因此,使得执法者能够通过欧盟境外控制者或处理者指定的欧盟境内代表发起执法行动,包括依据GDPR第58条第(2)款和第83条责令境外控制者或处理者改正或施以行政罚款和行政处罚。代表人的直接责任仅限于GDPR第30条和第58条第(1)款的规定。 |
The EDPB furthermore highlights that article 50 of the GDPR notably aims at facilitating the enforcement of legislation in relation to third countries and international organisation, and that the development of further international cooperation mechanisms in this regard is currently being considered. | EDPB进一步强调,GDPR第50条的立法主旨为减轻对第三国和国际组织执法的困难,此外,EDPB正在考虑在此方面加强国际合作。 |
[1] G 29 WP169 - Opinion 1/2010 on the concepts of "controller" and"processor", adopted on 16th February 2010 and under revision by theEDPB.
第29工作组WP169——关于“控制者”和“处理者”概念的意见 1/2010,2010 年 2 月 16 日通过。
[2] See in particular Google Spain SL, Google Inc. v AEPD, Mario CostejaGonzález (C-131/12), Weltimmo v NAIH (C230/14), Verein fürKonsumenteninformation v Amazon EU (C-191/15) and WirtschaftsakademieSchleswigHolstein (C-210/16).
特别参见 Google Spain SL, Google Inc. v AEPD, Mario CostejaGonzález (C-131/12), Weltimmo v NAIH (C230/14), Verein fürKonsumenteninformation v Amazon EU (C-191/15) and WirtschaftsakademieSchleswigHolstein (C-210/16).
[3] Weltimmo 案,第 31 段
[4] CJEU, Verein für Konsumenteninformation v. Amazon EU Sarl, Case C‑191/15, 28 July 2016, paragraph 76 (hereafter “Verein fürKonsumenteninformation”).
欧盟法院, Verein fürKonsumenteninformation v. Amazon EU Sarl, Case C 191/15, 2016 年 7 月 28 日 第 76段(hereafter “Verein für Konsumenteninformation”).
[5] See in particular para 29 of the Weltimmo judgment, whichemphasizes a flexible definition of the concept of 'establishment' andclarifies that 'the degree of stability of the arrangements and the effectiveexercise of activities in that other Member State must be interpreted in thelight of the specific nature of the economic activities and the provision ofservices concerned.'
特别参见 Weltimmo 案判决第 29 段,该判决强调对“场所”概念的灵活定义,并澄清“安排的稳定程度和在该另一成员国有效开展活动的程度必须根据经济活动的具体性质和提供相关服务来解释。”
[6] Weltimmo 案第 25 段 和Google Spain 案,第 53 段.
[7] G29 WP 179 update - Update of Opinion 8/2010 on applicable law inlight of the CJEU judgment in Google Spain, 16th December 2015
第29工作组WP 179 更新—根据欧盟法院谷歌西班牙的判决,更新适用法律意见 8/2010,2015 年 12 月 16 日
[8]CJEU, Google Spain, CaseC‑131/12
欧盟法院, Google Spain 案, Case C131/12。
[9]G29WP 179 update - Update of Opinion 8/2010 on applicable law in light of the CJEUjudgment in Google Spain, 16th December 2015.
wp 179 更新—根据欧盟法院谷歌西班牙的判决,更新适用法律意见 8/2010,2015 年 12 月 16 日。
[10]Thismay potentially be the case, for example, for any foreign operator with a salesoffice or some other presence in the EU, even if that office has no role in theactual data processing, in particular where the processing takes place in thecontext of the sales activity in the EU and the activities of the establishmentare aimed at the inhabitants of the Member States in which the establishment islocated (WP179 update).
例如,对于任何在欧盟设有销售办公室或其他办公室的外国运营商来说,这种情况可能是潜在的,即使
该办公室在实际数据处理中没有任何作用,特别是在处理过程发生在欧盟销售活动的场景下,并且该实体的活动针对的是实体所在地的居民。(WP179 更新版)。
[11]Inaccordance with Article 28, the EDPB recalls that processing activities by aprocessor on behalf of a controller shall be governed by a contract or otherlegal act under Union or Member State law, that is binding on the processorwith regard to the controller, and that controllers shall only use processorsproviding sufficient guarantees to implement appropriate measures in suchmanner that processing will meet the requirement of the GDPR and ensure theprotection of data subjects’ rights.
根据第 28 条,EDPB 回顾,处理者(processor)代表控制者(controller)进行的处理活动应受联邦或成员国法律规定的合同或其他法律行为的管辖,该合同或法律行为对与控制者(controller)相关的控制者(processor)具有约束力,并且控制者(controller)应仅使用提供充分证的控制者(processor),即以满足 GDPR 要求的处理方式实施适当措施,并确保保护数据主体(datasubjects)的权利的控制者(processor)。
[12]Directive (EU) 2015/1535 of the European Parliament and of the Council of 9September 2015 laying down a procedure for the provision of information in thefield of technical regulations and of rules on Information Society services.
欧洲议会和理事会2015年9月9日第2015/1535号指令(欧盟),规定了在技术法规和信息社会服务规则领域提供信息的程序。
[13]See, in particular, CJEU, C-352/85, Bond van Adverteerders and Others vs.The Netherlands State, 26 April 1988, par. 16), and CJEU, C-109/92, Wirth[1993] Racc. I-6447, par. 15.
特别见《欧盟法院判例汇编》,C-352/85, Bond van Adverteerders 等人诉荷兰案 ,1988年4月26日16号和欧盟法院,C-109/92,Wirth[1993]Racc。I-6447,15号。保