The GDPR may apply to U.S. organizations that are deemed to have an establishment in an EU Member State.  Neither the GDPR nor authoritative interpretations by courts precisely defines what constitutes an “establishment.”  Instead, organizations must conduct a fact-based analysis to determine what, if any, business activity is being conducted in EU Member States.

Article 3(1) of the GDPR

The GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the [EU], regardless of whether the processing takes place in the [EU] or not.”  Article 3(1), GDPR.

The term “establishment” is not defined in the GDPR, but we can glean some insight into how to apply this term from Recital 22(2)-(3), which state:

²Establishment implies the effective and real exercise of activity through stable arrangements. ³The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.  (emphasis added)

The recitals reflect the fact that the term “establishment” can be used broadly and flexibly, and is not constrained by legal formalities, such as whether a company is formally registered in the EU or maintains a subsidiary or branch office in the EU.  Instead, the GDPR suggests that this is a fact-intensive test to determine the existence of “effective and real exercise of activity through stable arrangements.”

Authoritative Interpretations of the Establishment Test

The language in this recital is drawn from Recital 19 of Directive 95/46/EC (the “Directive”), which used the concept of “establishment” to determine when EU Member State’s national data protection laws would apply.  Accordingly, authoritative interpretations of the term in that context provide additional guidance on how to apply this word in practice. 

EU Subsidiaries and Sales Offices

First, in the landmark 2014 Google Spain SL, Google Inc. v. AEPD, Mario Costeja Gonzalez (C-131/12) case, the CJEU found that an EU-based subsidiary with a sales office would be sufficient to bring a non-EU parent organization’s processing activities within the scope of EU data protection laws because the parent organization’s processing would be inextricably linked to the sales activities of the EU office.  This case demonstrated that EU courts and regulatory agencies are not reluctant to pursue non-EU parent companies with subsidiaries in the EU.

Fact-Bases Analyses and the Minimal Establishment

Second, in the 2015 Weltimmo v. NAIH (C-230/14) case, the Court of Justice of the European Union (“CJEU”) used a flexible fact-based test to determine the existence of an establishment in Hungary.  Specifically, the CJEU found that Weltimmo, a Slovakian company, could be found to have an establishment in Hungary if the supervisory authority could confirm the following tentative facts:

• (1) Weltimmo maintained a website targeting Hungarian prospective customers in the Hungarian language;
• (2) Weltimmo retained a representative in Hungary to represent them in court and collect debt from customers;
• (3) Weltimmo maintained a post office box in Hungary; and
• (4) Weltimmo maintained a Hungarian bank account.

The CJEU held that these facts, if confirmed, would demonstrate an establishment, i.e., that a “controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which [data] processing is carried out.” Weltimmo, Ruling 1.  Notably, here the Slovakian company had no subsidiary, sales office, or brick-and-mortar location in Hungary.  The Weltimmo ruling showed that EU courts are willing to employ fact-based analyses and find establishments even where the EU-based activity is minimal. 

Standards for Evaluating Possible EU “Establishments”

Organizations can use the GDPR definition, recitals, and guidance from authoritative interpretations of the Directive to piece together an “establishment” test like the one below:

• (1) Is the organization registered in an EU Member State?
• (2) Does the organization have a subsidiary in the EU Member State?
  • If so, does the organization process data in the context of the activities of its subsidiary?
• (3) Does the organization maintain other “stable arrangements” with local agents in the EU Member State, such as:
  • Other contracted agents that act on behalf of the organization?
  • Customer service agents?
  • Postal Offices?
  • Local sales offices or agents?
  • Legal representatives?
  • Financial institutions?

If, based on the answers to these questions, it seems that your organization may have an establishment – even a minimal one – in an EU Member State, then your organization may be subject to the GDPR.  If it appears that there is no establishment in place, then your organization still should evaluate whether it meets the EU Customer Test. 

If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.

In the Winter 2019 issue of The Construction User, GKG Law's Steve Fellman takes the opportunity to thank the Association for Union Constructors (TAUC) for the honor of serving as General Counsel to TAUC and its predecessor, the National Erectors Association (NEA), for 46 years.  

46 Years and Counting

With all the recent attention to criminal history data in the context of data privacy and employment decisions, there is a growing interest in how credentialing organizations use criminal history data to evaluate candidates for certification.  The evaluation of criminal history data raises issues of credentialing standards, liability considerations, state and local regulation, and philosophical approaches to certification eligibility.  To better evaluate how the credentialing community assesses this issue, GKG Law reviewed the applications (and where available, candidate handbooks) for 50 credentialing and certification bodies in the United States.  This was an internal survey to evaluate current practices and trends, and, while useful, the data we cite should not be considered a scientific predictor. 

In addition, we reviewed some of the recent legislative and regulatory trends surrounding the use of criminal history data.  While we broadly examined “Fair Chance Act” and “Ban-the-Box” reforms being enacted in jurisdictions across the U.S., organizations should make sure to check the relevant state and local rules applicable to the jurisdictions in which they operate. 

Our Findings

Out of the 50 organizations we reviewed:

• Only 36% had an explicit criminal history component to the certification process.
• 14% required an active, unrestricted license or some proof of a license in good standing, which indirectly implicates criminal history issues at the state licensing level.
• 50% did not address criminal history or having a state license in good standing.
• In health services or therapy related fields, 66% of credentialing organizations included a criminal history component in the certification process or required an active unrestricted license to practice (46% addressed criminal history and 20% addressed an active license).
• Where the certification was for state-licensed health practitioners such as doctors, psychologists, or nurses, virtually every organization we reviewed asked about an active unrestricted license rather than criminal history.
• 87% of non-health services or therapy-related certifications included no criminal history questions.
• Where a criminal history check was present, 22% had a strict policy on disqualifying offenses related to the field, 6% had a broad policy of disqualification for prior offenses, and 72% had an open-ended question for case-by-case evaluation (e.g., “Have you ever been convicted of a crime?  If so, please explain”).

As we expected, criminal history was most often addressed in the context of health or therapy related fields.  The only non-health fields that required a check in our survey also involved working with vulnerable persons or loved ones.  This makes sense because these fields often involve interactions with vulnerable people (e.g., children, the elderly, the ill, or others, depending on the nature of the underlying activity), and in many cases, consumers are depending on these professionals to help them address sensitive issues related to their health and wellness. 

With a few exceptions, however, criminal history policies all appeared to be tailored to address issues directly related to the field or involve a case-by-case basis evaluation.  This also makes sense because many of these health and therapy related fields necessarily involve rehabilitative philosophies (e.g., addiction counseling). 

Legislative and Regulatory Trends

In recent years, the “Fair Chance Act” reform and “Ban-the-Box” legislation have targeted the use of criminal history questions in job applications.  These reforms seek to move any considerations of criminal history from the initial application stage to later in the interview process, so as to mitigate discriminatory harm to ex-convicts by employers that simply reject all initial applications reporting a criminal history.

These reforms began by targeting public sector employers, and then, over the years, expanded to include the private sector.  There is a growing trend to expand these policies to include public sector licensing authorities (i.e., “Fair Chance Licensing Reform”).  In the past two years, 10 states have enacted some type of Fair Chance Licensing Reform laws or regulations.  At present, 15 jurisdictions have incorporated some form of Fair Chance Licensing Reform: Arizona, Illinois, Georgia, Kentucky, Louisiana, Delaware, Indiana, Massachusetts, Tennessee, Maryland, Missouri, Colorado, Connecticut, Minnesota, New Mexico, and New York City. 

Like their employment-focused counterparts, these licensing reforms still allow state licensing authorities to disqualify candidates that have recent and/or serious criminal histories directly related to the occupational field.  The goal of the reforms (so far) is to tailor the consideration of criminal history to relevant offenses and move the consideration to later in the process, rather than dispense with criminal history review altogether.

Just as the Fair Chance Act Reforms moved from public to private sector employment, however, it is possible that the recent focus on public sector licensing authorities may expand to include private sector credentialing bodies.  We did not identify any enacted laws or regulations to that effect, but it is something to keep in mind as the Fair Chance Reform movement continues to evolve.  It is also unclear how such reforms would apply to credentialing processes, which often do not include a second stage of interviews after the initial application.

Risk Assessment Considerations

Credentialing bodies need to balance the liability concerns regarding harm to applicants and harm to consumers that rely on the credentials.  Where the credential involves interactions with vulnerable people or issues such as physical or mental well-being, consumer reliance on the credentials presents a greater risk to credentialing bodies.  Conversely, applicants may feel discriminated against if they are disqualified for convictions that occurred long ago or bear no relation to the occupational field.  Risk assessments will have to be compared to organizational philosophical approaches.  Does your organization’s mission and purpose support taking the risk of allowing applicants with criminal histories to apply for its credentials?

Given the “flux” and continued evolution of how and when organizations evaluate criminal histories, this is a good time for organizations to consider their approach and, perhaps, tailor their policies appropriately.

For more information on this topic or about GKG Law’s Association Practice Group’s capabilities as related to your organization’s needs, please contact Richard Bar at 202.342.6787 or rbar@gkglaw.com.

Current Trends in Credentialing Organizations’ Use of Criminal Background Checks

It’s almost Valentine’s Day – a day filled with love, happiness, and potential sexual harassment claims. Many HR professionals believe that claims of sexual harassment increase on Valentine’s Day.  It appears that some employees tend to forget that sexual harassment rules and policies still apply, even on February 14th.  So here are a few simple recommendations for employees on Valentine’s Day:

• (1) Hugging and Flirting with Co-Workers is Still Off Limits.  Even though its February 14th, rules prohibiting unwanted physical contact still apply.  A hug, squeeze on the shoulder, or even a pat on the back can be viewed as unwanted physical contact by a colleague.  I once had a person tell me that they only flirted with co-workers on Valentine’s Day, therefore, it wasn’t sexual harassment.  Not surprisingly, they soon learned that this was not the case.  Valentine’s Day is never a free pass to speak or act inappropriately towards co-workers.  
• (2) Forget the Cards and Presents.  On Valentine’s Day, cards, flowers, chocolates, and other gifts are commonly viewed as romantic gestures.  It's best to avoid giving presents to co-workers.  Supervisors should be especially careful.  Sending a Valentine’s Day card, e-mail or gift to a subordinate can make them feel uncomfortable.  Some may even feel that you are making sexual overtures towards them.
• (3) Give a Group Gift.  If you want to celebrate Valentine’s Day at work, we recommend giving a group gift.  Putting a box of cookies in the office kitchen lets everyone know you appreciate them and does not single out one or two individuals.
• (4) Be Cognizant of your Co-workers.  Valentine’s Day is a romantic holiday.  Many of your co-workers may be single, divorced or widowed.  Please be respectful to them.  Ask your partner not to send you flowers at work.  Don’t go flaunting your romantic evening plans to your fellow co-workers.  Let Valentine’s Day be just another day at the office.
• (5) Apologize.  Remember to be sensitive to the people around you.  Actions that may seem innocent to you may make others uncomfortable.  If you feel you have upset someone, apologize to them.  

Ultimately, it is always best to keep all verbal and physical expressions of affection outside of the office no matter what day of the year it happens to be.  So go ahead and celebrate Valentine’s Day with your significant other and loved ones – just do it outside the workplace.