New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at


Data privacy is our top priority at Scherzer International (“SI”).  SI has undertaken diligent efforts to ensure our compliance with the GDPR which became effective May 25, 2018.  Here are some of the things that we’ve done:

  • We added a clause about GDPR* compliance setting forth our respective obligations under this regulation to our Terms and Conditions Agreement (the “Agreement”), which now – unless superseded by another agreement – governs SI’s provision of background screening reports (“Reports”). The Agreement can be accessed here and is applicable to all Reports ordered from SI on or after May 25, 2018 (“Effective Date”).
  • We revised our Privacy Policy by adding information about our compliance with the GDPR requirements regarding the processing of personal data of individuals located in the European Economic Area (EEA) covered by the GDPR and made some wording changes for clarity.  Please note that as before, our website does not use cookies or otherwise track any personal data.
  • We posted a “GDPR Notice” on our website, which informs EEA individuals of their rights in connection with their personal data.

There is no need for you to take any action. By continuing to interact with SI and using our services after the Effective Date, you agree to these terms.

Of course, you can opt out at any time, by contacting Joann Gold, Executive Vice President/Chief Compliance Officer, at


*“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of the European Union, and the European Commission of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation.

The Swiss-U.S. Privacy Shield Framework is approved

The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.

Three companies to be fined for relying on invalidated Safe Harbor to transfer data from the EU

Fortune reported that Hamburg, Germany’s data protection commissioner, Johannes Caspar, is taking five unspecified global companies to task for continuing to transfer EU data to the US after the Safe Harbor ruling made it illegal, The Hamburg data protection authority is preparing to fine three companies for relying on the Safe Harbor privacy framework as the legal basis for their trans-Atlantic data transfers, the report states. “Two other firms are also under investigation” according to the report.  Caspar refused to disclose the names of the companies for legal reasons, but said they are “large international companies” and “subsidiaries of US-based global corporates.”

U.K. Bribery Act now slated to take effect July 1, 2011

After receiving widespread criticism for the lack of guidance and compliance clarification, the U.K. Bribery Act of 2010 (Bribery Act) originally scheduled for implementation in April 2011, is now set to take effect July 1, 2011. The act’s jurisdiction extends to commercial organizations incorporated or formed in the U.K. or “which carr

[y] on a business or a part of a business in the U.K. irrespective of the place of incorporation or formation.” Determination of such existence will be made by the U.K. courts and will require “a demonstrable business presence.” The official guide states that an organization will not be deemed to be carrying on a business in the U.K. merely by virtue of having its securities listed on the London Stock Exchange or by having a U.K. subsidiary.

Unlike the anti-bribery provisions of the U.S. Foreign Corrupt Practices Act (FCPA), which focus primarily on corruption involving non-U.S. government officials, the Bribery Act  widens its scope to prohibit domestic and international bribery across both private and public sectors. And while the FCPA allows exceptions for facilitation payments (generally small payments to lower-level officials for “routine government actions,”) the Bribery Act does not. These payments were illegal under the previous legislation and the common law, but the difference under the Bribery Act is that non-U.K. organizations are broadly subjected to these restrictions for the first time.

The Bribery Act specifically criminalizes the offering, promising or giving a bribe (active bribery) and the requesting, agreeing to receive or accepting a bribe (passive bribery) to obtain or retain business or secure a financial or other advantage. It also contains a provision whereby an organization that fails to prevent bribery by anyone associated with the organization can be charged under the Bribery Act unless it can establish the defense of having implemented preventive “adequate procedures.” The official guide recommends the following six principles as foundation for developing “adequate procedures” to prevent bribery:

  • Proportionality – Actions should be proportionate to the risk, nature, size and complexity of the organization.
  • Top-level Commitment – Board of directors, owners, officers or equivalent top level- management should establish and promote a culture where bribery is never acceptable and be committed to preventing bribery, both within the organization and with anyone associated with the organization externally.
  • Risk Assessment – Various risk exposures, both internal and external, such as country of operation, business sector, types of transaction, new markets, and business partnerships should be evaluated and documented on an ongoing basis.
  • Due Diligence – Proportionate, risk-based approach to due diligence procedures assessing existing and proposed relationships should be taken to ensure trustworthy associations and mitigate identified bribery risks.
  • Communication – Appropriate channels of communication, awareness and training, both internal and external, on anti-bribery policies and procedures should be implemented and evaluated on a regular basis.
  • Monitoring and Review – Anti-bribery policies and procedures should be monitored on an ongoing basis and amended as quickly as possible when activities and risks change.

The penalties for violating the Bribery Act are severe, with individuals facing up to 10 years in prison and organizations facing unlimited fines. Violations also may result in damaging collateral consequences such as director disqualification, ineligibility for public contracts, and asset confiscation.


What is FATF?

FATF, which is the acronym for the Financial Action Task Force, and also known by its French name, Groupe d’action financière (GAFI), is an inter-governmental policy-making organization founded in 1989 by the initiative of the G7. The FATF Secretariat, headquartered in Paris, is comprised of over 30 countries, and has a ministerial mandate to establish international standards for combating money laundering and terrorist financing.

The primary functions of the FATF are to monitor members’ progress in implementing necessary measures, review money laundering and terrorist financing techniques and counter-measures, and promote the adoption and implementation of appropriate measures globally. To date, over 180 jurisdictions have joined the FATF or a FATF‐style regional body, and committed at the ministerial level to implement FATF standards and evaluations. In performing its activities, the FATF collaborates with other international bodies involved in combating money laundering and  terrorism financing, and has established mutual evaluations (see monitoring implementation of the FATF recommendations.)

The FATF does not have a tightly defined constitution or an unlimited life span, and thus periodically reviews its mission. The current mandate of the FATF (for 2004-2012) was subject to a mid-term review and was approved and revised at a ministerial meeting in April 2008 (see FATF standards.)

Decoding criminal records in the UK

In the UK, a criminal record is technically any conviction in a court of criminal offence. However, many motor vehicle offences are not deemed as crimes for criminal record purposes, since such offences carry fixed penalties and are not considered criminal convictions. Offences that are prosecuted by local authorities are sometimes classified as criminal offences, although they are unlikely to be in the Police National Computer (the “PNC”). Even if an individual has accepted a “police caution” as an alternative to prosecution, this would count as a criminal conviction.

The Criminal Records Bureau standard and enhanced disclosures contain information about convictions, cautions, reprimands, and warnings retained in the PNC and the equivalent systems in Scotland and Northern Ireland. For the purposes of CRB disclosures, a caution, reprimand, or warning that has been entered into the PNC will constitute a criminal record.

Criminal convictions also are labeled as “spent” and “unspent.” A “spent” conviction is removed from public records, meaning that the defendant has served time and passed through a rehabilitation period. Until then, the conviction is “unspent.” Some convictions, such as crimes with a prison sentence of more than 2.5 years, remain “unspent” indefinitely, regardless of the elapsed time. For convicted minors under 18 years of age, the “unspent” period is cut in half.

During the “unspent” time, the conviction must be disclosed when applying for jobs and on other applications. And for certain jobs such as law enforcement, some roles in the financial services sector, prison services, health services, private security, and for work with children, the elderly, and disabled, “spent” convictions also must be disclosed.

Go to Top