The Background Buzz

Volume 8, Edition 5, May 2012

Correct!

Answer: (3)
Article 4(1)(c) of the Data Protection Directive states that EEA Member States shall apply their national laws, as transposed from the Data Protection Directive, to data controllers not Established in an EEA Member State if that data controller “for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community”.

This means that if a corporation determines the (1) purpose and means of processing (e.g. acts as a data controller, (2) is not established in an EEA Member State, (3) uses equipment located in an EEA Member State and (4) that processing is not merely for the purpose of transit (e.g. to receive and automatically transmit data, a conduit), then that corporation is subject to European Data Protection law and the law of the EEA Member State in which the equipment is located.
As a strict interpretation, the term “equipment” in Article 4(1)(c) can include the terminal end equipment of a user (e.g. computer, smart phone, tablet PC) if a corporation were to place information (e.g. through the use of a cookie) on a user’s terminal end equipment as part of their processing. However, in practice, a nominal interaction with the terminal end equipment will not give cause for a Data Protection Authority to investigate a corporation’s data protection activities.

Please note, this answer is based generally on the Data Protection Directive. Each Member State has implemented their own national law based on the Directive which may diverge from the answer given. This answer has not considered issues of public international law.

Frequently, multi-national corporations that are not “established” in EEA, being the 27 EU Member States plus Norway, Lichtenstein and Iceland process the personal data of EU residents. Generally, in which circumstances are these foreign corporations required to comply with European Data Protection Law under Directive 95/46/EC (the “Data Protection Directive”)?

1. The corporation contracts with data controllers, based in the EEA.

2. The corporation contracts with data processors, based in the EEA

3. The corporation acts as a data controller, and uses servers or other equipment to process personal data located in aEEA Member State.

4. The corporation acts as a data controller and makes its goods/services available to EEA residents".

Disclaimer Statement: All information presented is for information purposes only and is not intended to provide professional or legal advise regarding actions to take in any situation. Advertisements are presented for information and marketing purposes only and the National Institute for Prevention of Workplace Violence, Inc. makes no representations for any products or services that are promoted and accepts no responsibility for any actions or consequences that occur as a result of any purchases from advertisers.