When do the GDPR provisions apply to non-EU businesses?

The General Data Protection Regulation (GDPR) does not only apply to businesses in the European Union (EU). Instead, companies from all over the world may have to comply with the GDPR when processing personal data because of the new scope of European data protection legislation. Our article will help you understand if your business is subject to the GDPR provisions.

Background

The GDPR aims to ensure comprehensive protection of EU data subjects’ rights and to create a level playing field for all businesses that operate in the EU market. However, non-EU businesses frequently have trouble determining whether the GDPR applies to them or not, and thus, whether they must comply with a number of the European data protection obligations such as creating processing records or designating the EU representative.

The European Data Protection Board (EDPB) has recently adopted the draft Guidelines on the territorial scope of the GDPR. They clarify the scope of Art. 3 GDPR, which regulates when the GDPR applies, also to non-EU companies. The Guidelines also provide additional details regarding the role of the EU representative.

When do the GDPR provisions apply to non-EU businesses?

The applicability of the GDPR to a non-EU organization is determined by the so-called ‘targeting’ criterion, which stipulates the processing of personal data of data subjects in the EU, when the processing activities are related to the following:

  • offering them goods or services (may be free of charge), or
  • monitoring their behaviour within the EU.

The EDPB decided to elaborate on these criteria in order to dispel some of the most common doubts:

Data subjects in the European Union

The GDPR applies to processing the data of individuals who are physically in the EU. This is not limited to EU citizenship, residence or other legal status. Generally, it should be assessed at the moment goods or services are offered or when the behaviour is being monitored.

The EDPB gives the example of a U.S.-based start-up that provides a city-mapping application for tourists visiting London, Paris and Rome. Such an app would be regarded as offering services to individuals in the EU because it will be used by data subjects in the EU (in this case London, Paris and Rome).

Offering of goods or services to data subjects in the EU

Another element is the assessment of whether the controller’s or processor’s conduct demonstrates its intention to ‘offer goods or services’ (to the individuals in the EU). This concept has been already addressed by EU law and case law and includes the provision of information society services. Payment for such goods or services is not a condition that triggers GDPR applicability. In addition to the examples provided in Recital 23 of the GDPR, the EDPB states that the following circumstances should also be taken into consideration:

  • The EU or at least one EU country is named with reference to the good or service offered.
  • The data controller or processor pays a search engine operator for an Internet-referencing service in order to facilitate access to its site for consumers in the EU.
  • The controller or processor has launched marketing and advertisement campaigns directed at an EU country audience.
  • The activity is international in nature, e.g. certain tourist offers.
  • Dedicated addresses or phone numbers from an EU country are mentioned.
  • A top-level domain name is used that is different than that of the third country in which the controller or processor is established, for example ‘.de’ or neutral top-level domain names such as ‘.eu’.
  • Travel instructions from one or more EU countries to the place of service provision are given.
  • International clientele consisting of customers located in various EU Member States are mentioned, in particular displaying written accounts from such customers.
  • A language or currency is used that is not generally used in the merchant’s country, especially a language or currency of one or more EU countries.
  • The data controller offers the delivery of goods in the EU.

A single point from the list above may not necessarily be a sufficient indication of the intention to establish a commercial relationship, but the combination of several points must be analysed and decided on a case-by-case basis.

Monitoring of data subjects’ behaviour

Monitoring the behaviour of individuals in the EU falls under the scope of the GDPR if it relates to a data subject in the EU and if it takes place within the territory of the EU.

Although ‘monitoring’ implies that a controller has a specific purpose for collecting and using the behavioural data, the EDPB does not automatically regard online data collection or analysis as monitoring. An assessment of the controller’s purpose, a subsequent behavioural analysis and profiling techniques determine whether or not ‘monitoring’ has occurred.

Examples of monitoring are behavioural advertisement, geo-localization activities, online tracking through cookies or other tracking techniques, personalised diet and health analytics services online, CCTV, market surveys and regular reporting on an individual’s health.

When the GDPR does not apply?

However, mere data processing of individuals in the EU will not suffice to impose GDPR obligations. There must also be an element of ‘targeting’. For example, it will not apply to a U.S. citizen who downloads an app during his holidays in Italy (provided that the app is only for the U.S. market).

Since GDPR application is also not obligatory due to EU citizenship, targeting EU citizens in a non-EU country is excluded from its scope. The EDPB gives the example of a Taiwanese bank with customers who are German citizens and Taiwanese residents. Since the bank is active solely in Taiwan and its activities are not geared toward the EU market, the bank is not subject to the provisions of the GDPR with respect to these activities.

The GDPR also does not apply where a non-EU company processes data solely for HR purposes (e.g. HR management or salary payment). This is because the respective HR processing does not occur in the context of offering goods or services.

Online collection or analysis of the personal data of individuals in the EU is also not automatically considered monitoring. It will always be necessary to consider the processing purpose, profiling techniques and any subsequent analysis.

Additional regulations for non-EU businesses

No one-stop-shop

The one-stop-shop mechanism allows companies in the EU to work primarily with one supervisory authority from the same country in which the main establishment of that company is based. The draft Guidelines clearly state that non-EU controllers and processors cannot benefit from the one-stop-shop mechanism.

Compliance with the domestic provisions of EU countries

Many organisations are not aware of the fact that, in addition to the GDPR, they are also often obliged to comply with the national data protection laws of particular EU Member States. Most differences in domestic legislation pertain to the following areas: children’s age for valid consent (Art. 8), special categories of data (Art. 9), restrictions of the data subjects’ rights (Art. 23), freedom of expression and information, public access to official documents, national identification number, employment context, processing for archiving purposes in the public interest, scientific or historical research or statistical purposes, secrecy, churches and religious affiliation.

Designation of the EU representative

Private entities subject to Art. 3(2) GDPR must designate an EU representative, unless exempted by the following circumstances: the processing is occasional, does not include sensitive data on a large scale and is unlikely to result in an infringement of the rights and freedoms of individuals.

Unfortunately, the EDPB did not attempt to clarify WP29’s interpretation of ‘occasional’ as ‘not carried out regularly and occurring outside the regular course of business or activity’. Thus, the majority of businesses will continue to be subject to this obligation. It is important to note that not designating the EU representative constitutes a breach of the GDPR. Since the contact details of the representative must be mentioned in privacy policy, non-compliance with this obligation can be easily detected by the authorities.

Conclusion

Additional guidance for non-EU companies regarding GDPR compliance was clearly necessary. By issuing the draft Guidelines, the EDPB addressed many relevant issues. We strongly advise that organisations without an EU presence keep an eye on any future development of these draft Guidelines, as they are a key source for correctly interpreting the GDPR’s territorial scope.

You would prefer to have a professional take care of your data protection? If so, appoint us now as your data protection officer!

How to prepare for the ePrivacy Regulation

The current ePrivacy Directive regulating electronic communications that covers the rules on cookies and e-marketing will be replaced soon by the ePrivacy Regulation. The full name is: ‘Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC’ (‘Regulation on Privacy and Electronic Communications’). Its final content and the effective date is not known at this time, but a draft was published in early 2017, which is not expected to change substantially before it becomes applicable. Although the ePrivacy Regulation was supposed to be published together with the General Data Protection Regulation (GDPR), the final draft is expected in 2019.

The ePrivacy Regulation is lex specialis to the GDPR, which means that it particularises and complements the rules on the electronic communications sector. As a result, compliance with both laws is mandatory. As you probably concluded based on your experience preparing for the GDPR – it is definitely a great idea to start implementing the requirements of new legislation into your business as soon as possible!

Background: Why do we need the change coming with ePrivacy Regulation?

The Regulation will in fact update the currently applicable ePrivacy Directive and address technology developments that have occurred over the past 15 years (i.e. the Internet of Things and other new technologies that allow for tracking online behaviour). The form of the Regulation will make it directly applicable throughout the EU, without the need to transpose it into national law of the EU countries. Like the GDPR, the Regulation aims to harmonise laws across the EU, but it also allows the EU Member States to further specify some provisions, such as the rules governing how voice–to-voice calls may be marketed or the obligation to display the caller ID.

The ePrivacy Regulation is strongly aligned with the GDPR. Thus, the definitions of the GDPR do apply, as well as the rules on breach notification and the amount of fines for non-compliance with the provisions. Furthermore, the same data protection authorities are responsible for both monitoring and enforcing compliance with  the regulations.

ePrivacy Regulation vs. GDPR: Understanding the main differences

As mentioned above, the ePrivacy Regulation further specifies the GDPR provisions. Whereas the GDPR governs all personal data in general, the ePrivacy Regulation solely pertains to electronic communications and the information integrity of one’s device (both personal and non-personal data).

In addition, the GDPR grants individuals a set of data protection rights, which European citizens strongly demanded. As an obvious consequence, the GDPR has introduced an array of new obligations for companies that process personal data. The ePrivacy Regulation, on the other hand, deals with apps and other internet communication services and prohibits the interception, recording or tapping of communications.

What’s new about the ePrivacy Regulation?

More electronic-communication service providers

The new rules will apply to all providers of electronic communication services, including so-called ‘Over The Top’ and ‘Voice over Internet Protocol’ providers (OTTs and VoIPs) and instant and social media messaging services such as WhatsApp, Skype, Facebook Messenger, etc. They will be governed by the same legislation as traditional telecom operators.

Like the GDPR, the ePrivacy Regulation also applies to non-EU providers who offer their services to end-users located in the EU, irrespective of whether the actual data processing takes place in the EU or not. This means, that your company may be obliged to designate an EU representative in one of the countries where the end-users of your services are located. The representative’s main job is to answer questions and provide information to supervisory authorities and end-users on all issues related to the processing of communications data.

Metadata

The Regulation defines ‘electronic communications data’ as both electronic communications content and metadata, e.g. time, location and duration of a call. ‘Electronic communications data’ was defined in this way because the collection and/or processing of such information may itself be an infringement on one’s (i.e. the data subject’s) privacy.

Cookies and other tracking technologies

The GDPR set strickter standards for obtaining users’ consent (freely given, specific, informed and unambiguous), and it seems that the ePrivacy Regulation will introduce additional new rules concerning cookie consent.

For example, the Regulation will allow users to give such consent by changing certain settings of the Internet browser or other application, wherever this is technically possible and feasible. This should prevent users from having to consent to cookies every time they visit a webpage, as they will be able to make this decision via the settings in their general preferences. Such a solution is assumed to be more user friendly and could end the annoying issue of repetitive cookie banners popping up on every website.

The good news is: consent is not required for ‘first-party cookies’, which are non-intrusive with respect to privacy yet are necessary to improve/enhance the internet experience of users. However, this means that any non-essential or third-party cookies – including Google Analytics and the like – will not be covered by this exemption and will require end-users’ consent.

SPAM

E-marketing communication is only allowed for your existing customers of similar products or if a person has explicitly consented to this. In both situations, the e-marketing recipient must be offered an opt-out option. These rules apply to both B2C and B2B communications.

In the case of voice-to-voice marketing, each EU country will decide individually if it will implement a do-not-call-lists to prevent marketing phone calls in general. Accordingly, such marketing callers may be obliged to either display their phone number or a code/prefix indicating that the call is of a marketing nature. The Commission will specify such a code/prefix in the future.

As the scope of the ePrivacy Regulation has extended to new electronic-communication service providers, these rules will apply to all methods of e-marketing communications, including push notifications and the like.

How to prepare for the ePrivacy Regulation?

  • Map all the data flows (internal and external)
  • Determine all the communication services used
  • Establish which devices are utilised for communications
  • Audit your security measures
  • Secure all the devices that are connected to your company’s network

Keep an eye on the ePrivacy Regulation updates! For instance, the Article 29 Working Party (WP29) have published an extensive opinion on the ePrivacy Regulation proposal. It covers both the positive and negative aspects and also provides recommendations for further improvement of the legislation.

In unserem Portal für Datenschutzbeauftragte finden Sie Ratgeber und kostenlose Vorlagen für alle Aufgaben des unternehmerischen Datenschutzes.