![[2025] UKUT 319 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
The EDPB Guidelines
The EDPB Guidelines
The EDPB Guidelines provide the following guidance that is relevant to territorial scope and the correct interpretation of Article 3(2)(b):
“As a general principle, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. These guidelines will specify the various scenarios that may arise, depending on the type of processing activities, the entity carrying out these processing activities or the location of such entities, and will detail the provisions applicable to each situation. It is therefore essential that controllers and processors, especially those offering goods and services at international level, undertake a careful and in concreto assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of the GDPR.
The EDPB underlines that the application of Article 3 aims at determining whether a particular processing activity, rather than a person (legal or natural), falls within the scope of the GDPR. [page 5 of Guidelines]
…
The application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by processing activities carried out by a controller or processor not established in the Union which relate to two distinct and alternative types of activities provide that these processing activities relate to data subjects that are in the Union. In addition to being applicable only to processing by a controller or processor not established in the Union, the targeting criterion largely focuses on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis.
The EDPB stresses that a controller or processor may be subject to the GDPR in relation to some of its activities but not subject to the GDPR in relation to other processing activities. The determining element to the territorial application of the GDPR as per Article 3(2) lies in the consideration of the processing activities in question.
In assessing the conditions for the application of the targeting condition, the EDPB therefore recommends a twofold approach, in order to determine first that the processing relates to personal data of data subjects who are in the Union, and second whether processing relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union.
- Heading
- The decision of the Upper Tribunal is to allow the appeal The decision of the First-tier Tribunal made on 17 October 2023 was materially in error of law. It is SET ASIDE under section 12(2)(a) of the Tribunals, Courts and Enforcement Act 2007 (“TCEA
- REASONS FOR DECISION
- Introduction
- The decision under appeal
- A summary of the relevant factual background
- The FTT’s decision
- The FTT’s findings of fact
- The FTT’s conclusions
- The issues in this appeal
- Appeal ground 1
- Appeal ground 2
- Appeal ground 4
- Additional Reason 1
- The scope of the appeal - admitting the additional reasons arguments for consideration
- Permitting Privacy International to intervene in the appeal
- Permitting Clearview to rely on a written reply to Privacy International’s skeleton argument
- Reliance on the evidence filed by Privacy International
- Reliance on legal arguments not raised before the FTT
- Legal framework
- Relevant legislative provisions
- The GDPR
- The UK GDPR
- “Article 2 This Regulation applies to the automated or structured processing of personal data, including
- 1A. This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority This Regulation does not apply to
- “Article 3
- The 95 Directive
- The Law Enforcement Directive
- State immunity and foreign act of state
- Material scope: the caselaw
- Territorial scope: the caselaw
- The Travaux in respect of the GDPR
- The EDPB Guidelines
- Data subjects in the Union
- The burden of proof in appeals against ICO Notices
- Analysis
- The parties’ positions on material scope in brief
- What the FTT decided in relation to Article 2(2)(a)
- General approach to construction of the GDPRs
- Domestic authorities on comity, extra-territoriality and utility
- EU authorities on extra-territorial effect and comity
- Certainty and foreseeability
- Proportionality
- EU law authorities on the construction of Article 2(2)(a) of the GDPR
- Relevant comity principles
- Our construction of Article 2(2)(a)
- Analysis of Clearview’s proposed intersectional construction
- Alternative analysis based on the ICO’s construction
- Would regulation of Clearview’s data processing breach comity principles?
- Article 3(2)(b) GDPR: territorial scope
- What was the policy objective behind Article 3(2)(b)?
- The meaning of “related to” in Article 3(2)(b)
- The meaning of “behavioural monitoring” in Article 3(2)(b)
- Ground 1
- Ground 2
- Ground 3
- Ground 4
- Clearview’s Additional Reasons
- Additional Reason 1
- Additional Reason 2
- Additional Reason 3
- Additional Reason 4
- Conclusions