11
Adopted
which is not “inextricably linked” to the activities of the controller. As stated above, in the case of a
data processor established in the Union and carrying out processing on behalf of a data controller
established outside the Union and not subject to the GDPR as per Article 3(2), the EDPB considers that
the processing activities of the data controller would not be deemed as falling under the territorial
scope of the GDPR merely because it is processed on its behalf by a processor established in the Union.
However, even though the data controller is not established in the Union and is not subject to the
provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be
subject to the relevant provisions of the GDPR as per Article 3(1).
Example 7: A processor established in Spain has entered in a contract with a Mexican retail company,
the data controller, for the processing of its clients’ personal data. The Mexican company offers and
directs its services exclusively to the Mexican market and its processing concerns exclusively data
subjects located outside the Union.
In this case, the Mexican retail company does not target persons on the territory of the Union through
the offering of goods or services, nor it does monitor the behaviour of person on the territory of the
Union. The processing by the data controller, established outside the Union, is therefore not subject
to the GDPR as per Article 3(2).
While the provisions of the GDPR does not apply to the data controller, the data processor, as a
processor established in Spain, will be required to comply with the processor obligations imposed by
the regulation for any processing carried out in the context of its activities.
When it comes to a data processor carrying out processing on behalf of a data controller established
outside the Union and which does not fall under the territorial scope of the GDPR as per Article 3(2),
the processor will be subject to the following relevant GDPR provisions directly applicable to data
processors:
- The obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to
enter into a data processing agreement, with the exception of those relating to the assistance to
the data controller in complying with its (the controller’s) own obligations under the GDPR.
- The processor and any person acting under the authority of the controller or of the processor, who
has access to personal data, shall not process those data except on instructions from the controller,
unless required to do so by Union or Member State law, as per Article 29 and Article 32(4).
- Where applicable, the processor shall maintain a record of all categories of processing carried out
on behalf of a controller, as per Article 30(2).
- Where applicable, the processor shall, upon request, cooperate with the supervisory authority in
the performance of its tasks, as per Article 31.
- The processor shall implement technical and organisational measures to ensure a level of security
appropriate to the risk, as per Article 32.
- The processor shall notify the controller without undue delay after becoming aware of a personal
data breach, as per Article 33.
- Where applicable, the processor shall designate a data protection officer as per Articles 37 and 38.
- The provisions on transfers of personal data to third countries or international organisations, as
per Chapter V.
In addition, since such processing would be carried out in the context of the activities of an
establishment of a processor in the Union, the EDPB recalls that the processor will have to ensure its
processing remains lawful with regards to other obligations under EU or national law. Article 28(3) also