Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

1. What is an “establishment”?

Any ‘stable arrangement’ carrying out ‘real and effective activities’ (even if the activities are minimal) within a territory can count as an establishment. This isn’t easy to define, but the following points can help you identify an establishment. The important point here is that this is about what is actually happening in practice, not about the legal structure on paper.

An establishment doesn’t need to take any particular legal form. This means you don’t need to look at the legal structure of a company in any detail. In particular, an establishment doesn’t have to be a registered office and it doesn’t have to be part of the same legal entity.

So a branch, office or organisation can count as an establishment. So can a single employee or any other agent (ie someone acting on behalf of the controller) stationed in a particular country, if this is a ‘stable arrangement’. An employee temporarily travelling on business would not count as an establishment, because this is not a ‘stable arrangement’.

Further information can be found in the EDPB’s guidelines on territorial scope.                                                  

2. If an EU-based organisation sends data to a non-EEA organisation, but this non-EEA organisation is subject to the EU GDPR because they offer goods and services to people based in the EEA, does this mean that safeguards aren’t required?

We’re currently awaiting EDPB guidelines to confirm the approach that EU regulators will take. In the meantime, we’d advise you to take a broad interpretation of what counts as a restricted transfer for the purposes of the EU GDPR. It would be sensible to ensure that you have appropriate safeguards in place.

However, the EU has agreed that there will be no EU restrictions on data flows into the UK for at least four months after 1 January 2021, while adequacy negotiations continue. During this bridge, any transfer to an organisation in the UK is not therefore a restricted transfer.

3. Does the EU GDPR apply to the personal data of non-EU citizens, for example when sending the personal data of UK citizens to the UK?

Yes. The EU GDPR applies to the processing of personal data in the context of EU-based organisations. Therefore, regardless of whether it is data of UK or other citizens, those organisations would need to comply with the EU GDPR.

For further guidance, you may wish to view the EDPB’s guidelines on territorial scope.

4. What is the position regarding EU citizens in UK - how are their rights under EU and UK GDPR affected?

An EU citizen in the UK is protected by the UK GDPR in exactly the same way as a UK citizen. The UK GDPR protects all personal data processed in the UK or with a link to UK operations. It also protects the personal data of anyone located in the UK, if an organisation is targeting them by offering goods or services or monitoring their behaviour – regardless of their nationality.

In the same way, the EU GDPR protects any personal data processed in the EEA, or with a link to EEA operations, even if the people concerned are outside the EEA. It also protects the personal data of anyone in the EEA, regardless of nationality, if an organisation is offering them goods or services or monitoring their behaviour.