Guidelines 03/2018 on Territorial Scope of Article 3 GDPR

SECTION 3  PROCESSING IN A PLACE WHERE MEMBER STATE LAW APPLIES BY VIRTUE OF PUBLIC INTERNATIONAL LAW

Article 3(3) provides that “[t]his Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”. This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.”

The EDPB therefore considers that the GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates located outside the EU as such processing falls within the scope of the GDPR by virtue of Article 3(3). A Member State’s diplomatic or consular post, as a data controller or processor, would then be subject to all relevant provisions of the GDPR, including when it comes to the rights of the data subject, the general obligations related to controller and processor and the transfers of personal data to third countries or international organisations.

• Example 22: The Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration.

• While the Dutch consulate in Kingston, Jamaica, is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data, as per Article 3(3).

• Example 23: A German cruise ship travelling in international waters is processing data of the guests on board for the purpose of tailoring the in-cruise entertainment offer. While the ship is located outside the Union, in international waters, the fact that it is German-registered cruise ship means that by virtue of public international law the GDPR shall be applicable to its processing of personal data, as per Article 3(3).

Though not related to the application of Article 3(3), a different situation is the one where, by virtue of international law, certain entities, bodies or organisations established in the Union benefit from privileges and immunities such as those laid down in the Vienna Convention on Diplomatic Relations of 1961, the Vienna Convention on Consular Relations of 1963 or headquarter agreements concluded between international organisations and their host countries in the Union. In this regard, the EDPB recalls that the application of the GDPR is without prejudice to the provisions of international law, such as the ones governing the privileges and immunities of non-EU diplomatic missions and consular posts, as well as international organisations. At the same time, it is important to recall that any controller or processor that falls within the scope of the GDPR for a given processing activity and that exchanges personal data with such entities, bodies and organisations have to comply with the GDPR, including where applicable its rules on transfers to third countries or international organisations.