On 16 November 2018, the European Data Protection Board (“EDPB”) – the EU body that replaced the previous so-called WP29, in charge of the consistent application of the Regulation 2016/679/EU (“GDPR” or “Regulation”) and consisting of the person in charge of each data protection authority and the European Data Protection Authority – adopted a new guideline project (no. 3/2018) (the “Project”), regarding the territorial application of the GDPR.
It is a very detailed – full of examples – and substantial document, currently available only in English.
Legislative references
The EDPB first of all provides important clarifications with regard to the provisions referred to in Articles 3, 27 and 28 and Recital 80 of the GDPR.
According to Article 3 of the Regulation, the processing of personal data – carried out over the course of the activities of an establishment – by a Data Controller or a Data Protection Officer in the European Union falls within the scope of the Regulation, whether or not that processing is carried out within the European Union.
The applicability of the Regulation is also established upon occurrence of the processing of personal data of the interested parties located in the EU – carried out by a Data Controller or a Data Protection Officer not located in the European territory – if the processing activities concern (i) the provision of goods or services to the aforementioned interested parties located in the EU, independently of the obligation to pay of the interested party, or (ii) the monitoring of their conduct, to the extent that such conduct takes place within the EU.
Finally, pursuant to Article 3, the GDPR applies whenever the processing of personal data is carried out by a Data Controller not established in the EU but in a place governed by the law of a Member State by virtue of public international law.
Articles 27 and 28 as well as Recital 80 of the Regulation define the relationship between the Data Controller, the Data Protection Officer and, specifically, the representative of these two parties, in cases where they are not “established” in the EU.
Applicable criteria and related examples
The three main criteria that are detailed in the document under analysis are those reported in each of the three paragraphs of the aforementioned Article 3 of the GDPR, and therefore, the (i) criterion of establishment, the (ii) criterion of focusing and identifying the objectives (“targeting criterion”) as well as that (iii) of public international law. For each of these criteria, a few clarifying examples as proposed by the EDPB are reported herein.
An automotive manufacturing company based in the USA would fall within the application of the GDPR if it had a branch in an EU state to supervise certain operations (such as marketing) for the whole of Europe. This would be the case if – taking into account the nature of the business activity carried out by the US “parent company” – such transactions could be considered as real and effective activities, qualifying the branch as an actual establishment.
Similarly, the processing activity carried out (exclusively in China) by a Chinese company, which sells goods or services worldwide through an e-commerce site, would fall within the scope of application if it had an office in the EU in charge of implementing “commercial exploration campaigns” and marketing towards the European markets. In this case, beyond the actual place of the data processing, the company’s European headquarters would carry out activities inextricably linked to the processing of data carried out in China.
The GDPR would not be applicable to a hotel chain offering packages in several European languages via a website, if it operates without any permanent representation in the EU and if the offer is not expressly addressed to EU citizens.
On the other hand, the Regulation would apply to the processing of the data of a European car rental company which, while offering rental services only to clients present in non-EU countries, processes the data at its (single) European headquarters.
Finally, the example of a (European) Data Protection Officer which signed an agreement, in accordance with Art. 28 of the GDPR, with a Data Controller established in a non-EU country, in order to process, on behalf of the latter, the data of all its clients residing outside the EU, is of particular interest. In this case, the GDPR would not apply to the Data Controller, but instead the processing carried out by the Data Protection Officer established in the EU would fall within the scope of application.
With reference to this second criterion, the following examples seem to be particularly clarifying.
If a US citizen travels on holiday to Europe and here downloads and uses an App. offered by a US company, the GDPR would not find any application, with only the US market being affected (and being the US market the actual target, at a commercial level).
It should be noted that the processing of data of EU citizens in a third country, does not determine the application of the GDPR, if such processing is not related to a specific offer addressed to individuals residing in the EU, or to the monitoring of their conduct in the European context.
Similarly, the Regulation would not be applicable:
– in the case of a Taiwanese bank with clients residing in Taiwan, even though they all possess the citizenship of an EU country, under the point of view of a service offered to a non-European market; and
– to the processing of data of European citizens by, for example, the Canadian immigration authority, if the processing is limited to the purposes of issuing visas.
Finally, let’s consider a website, based and managed in Turkey, which offers services for the creation, publishing, printing and shipping of personalized family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or British Pounds and photo albums can only be delivered by mail in the UK, France, the Benelux countries and Germany. In this case, it is clear that the processing carried out by the Turkish website, as the Data Controller, concerns the provision of a service in favour of “interested parties” established in the EU, and it is therefore subjected to the obligations and provisions of the GDPR. The Turkish Data Controller is obligated to appoint a “European representative” in accordance with Article 27 of the Regulations.
Finally, it is considered appropriate to mention two situations – particularly exemplifying – thought out by the EDPB, with reference to the case in which the GDPR is applicable to processing that takes place in a country geographically non-European, but to which EU law applies under international law.
This is the case of the Dutch Consulate in Jamaica, which opens an e-recruitment selection process for local staff. In this case, in accordance with international law, the GDPR will apply.
The Regulation will also apply to a German vessel on which the personal data of the guests on board are processed in order to offer an entertainment service that is profiled and well adapted to the individual needs of the users.
Conclusions
This measure could have a significant impact on the activities of companies and institutions that increasingly operate on a global and transnational level and using technological tools such as websites and e-commerce, or applications and software for smartphones.
And precisely for this reason, it is subjected to public consultation, before its final approval. By 18 January 2019 it will be possible to submit comments directly to the dedicated e-mail address (EDPB@edpb.europa.eu). At this point, all that is needed now is to wait for the outcome of the consultation.
A worker was dismissed also on the basis of previous disciplinary offences. Nevertheless, the previous examples were not included in the employer’s disciplinary notice with a view to substantiating the existence of repeated misconduct, but were merely referred to in the notice of dismissal to provide support regarding the harm caused to their relationship of trust.
In explaining her challenge, the employee had, therefore, raised an objection that since the previous disciplinary actions, referred to in her dismissal, represented a constituent element thereof, they should have been included in the subject of the conduct she was accused of, whereas, in this way, they could not be taken into consideration in assessing the proportionality of the sanction she incurred on dismissal.
Both judgements on the merits confirmed the validity of the dismissal, thus also rejecting the exception raised by the employee regarding the failure to notify her repeated misconduct.
When called upon to pass judgement on the matter, the Court of Cassation, with Order no. 30564 dated 26 November 2018, confirmed the legitimacy of the opinion expressed by the trial courts on the matter and excluded the idea that the previous disciplinary actions could be a constituent part of the misconduct she was accused of, but could conversely be taken into consideration in the overall assessment of the harm to the relationship of trust with a view to the cause for dismissal.
Thus, the Court of Cassation expressed its opinion in line with its previous well-established case law, which considers it unnecessary to refer to previous cases of disciplinary misconduct when such previous cases merely represent another negative form of conduct, that is significant in terms of determining the appropriate sanction to be imposed (Court of Cassation, Employment Division, 1909/2018; 9173/1997).
Click here to read the full version of the note to the judgement.
Using a peculiar argument, the Court of Cassation, with judgment no. 31763 of 7 December 2018 ruled on the possibility to consider the inconvenience caused by continuous and repeated sick leaves as grounds for dismissal for a justified objective reason.
The case at hand revolves around the dismissal served on an employee who had been on sick leave for short although repeated periods of time (157 days) – without however exceeding the protected period set out in the applicable National Collective Bargaining Agreement – given that such circumstance had negatively affected the company. The judgment of the court of first degree – which had sustained the worker’s claim – was initially reversed by the Court of Appeal, which noted that the inconvenience caused, also in consideration of the fact that the employer was a public urban transportation provider, could very well legitimize dismissal, also making reference to a recent and peculiar approach of the Court of Cassation in this regard (Court of Cassation, judgement no. 18678/2014).
Called to express its opinion on the matter, the Court of Cassation decided, nonetheless, to adopt a different approach, quashing the judgment of the Court of Appeal and noting that the non-performance of work by an employee on sick leave (during a fixed period of time) is provided for and protected by the civil code, with a view to balancing the conflicting interests of the employer (in retaining only active workers) and the worker (in using an adequate period of time to heal without losing the job).
This peculiar type of guarantee wanes only when the statutory protected period, according to the law and the collective agreement, is exceeded, and therefore the retention of the job is no longer an obligation for the employer.
Click here to read the full version of the note to the judgement.
Legislative Decree 231/2001 introduced for the first time into the Italian legal system the possibility for a corporation to be fined (monetarily and with disqualification penalties) when specific offences (predicate offences) are committed – to its own advantage or in its interest – by top managers or their subordinates. However, the Decree includes an exonerating exemption: the corporation is not liable if it can prove to have implemented and adopted effectively – before the offence was committed – an organisational, management and control model (the “Model”) suitable to prevent offences of the same type as the one that took place. In any case, the Model is a tool destined by its nature to change and in order to have exonerating power, it must be updated any time there are changes within the organisational structure of the Company (such as, for example, opening of a new office or extension of the corporate purpose) or if the lawmakers introduce new types of offences. By express legislative provision, the effective implementation of the Model, and consequently its subsequent amendments, are the responsibility of the Managing Body. Instead, the constant updating of the Model must be entrusted to the Supervisory Body. On this matter, Confidustria’s guidelines dated 2014, in fact, specifically specified that the Supervisory Body must be assigned the task to ensure updating of the Model every time its reviews so require.
A serious threat made by an employee against his immediate superior constitutes a breach of the duties of cooperation, loyalty and subordination and sufficient grounds for dismissal for just cause. This is the principle of law confirmed on 3 December in the Court of Cassation judgement No. 31155/2018.
The case analysed arose from the disciplinary dismissal of an employee who – not during an animated conversation but in the context of difficult working relationships, as ascertained on several occasions by the judicial authorities – made a death threat against his superior.
The judgement issued by the Rome Trial Court in 2016 was overturned by the Rome Court of Appeal, which set aside the dismissal decision and ordered the company to reinstate the employee, having concluded that there were no grounds for dismissal given that the words used by the employee did not satisfy the minimum conditions of seriousness likely to result in the breakdown of the relationship of trust.
The employer appealed against that decision to the Court of Cassation, claiming an infringement and misapplication of the law, having the Court erred in ruling the lack of grounds for dismissal. The basis of this claim was, in particular, that the investigation had found that the incident had actually occurred and, moreover, in a context that was not inflammatory and without the employee being provoked by his immediate superior.
In upholding the employer’s claims, the Court of Appeal highlighted that the Trail Court had erred in its assessment of the employee’s conduct, noting, in particular, the employee’s previous involvement in conflicts with his superiors, as ascertained by the criminal prosecution authorities.
Click here to read the full version of the note to the judgement.
