The General Data Protection Regulation (GDPR) does not only apply to businesses in the European Union (EU). Instead, companies from all over the world may have to comply with the GDPR when processing personal data because of the new scope of European data protection legislation. Our article will help you understand if your business is subject to the GDPR provisions.
The GDPR aims to ensure comprehensive protection of EU data subjects’ rights and to create a level playing field for all businesses that operate in the EU market. However, non-EU businesses frequently have trouble determining whether the GDPR applies to them or not, and thus, whether they must comply with a number of the European data protection obligations such as creating processing records or designating the EU representative.
The European Data Protection Board (EDPB) has recently adopted the draft Guidelines on the territorial scope of the GDPR. They clarify the scope of Art. 3 GDPR, which regulates when the GDPR applies, also to non-EU companies. The Guidelines also provide additional details regarding the role of the EU representative.
When do the GDPR provisions apply to non-EU businesses?
The applicability of the GDPR to a non-EU organization is determined by the so-called ‘targeting’ criterion, which stipulates the processing of personal data of data subjects in the EU, when the processing activities are related to the following:
- offering them goods or services (may be free of charge), or
- monitoring their behaviour within the EU.
The EDPB decided to elaborate on these criteria in order to dispel some of the most common doubts:
Data subjects in the European Union
The GDPR applies to processing the data of individuals who are physically in the EU. This is not limited to EU citizenship, residence or other legal status. Generally, it should be assessed at the moment goods or services are offered or when the behaviour is being monitored.
The EDPB gives the example of a U.S.-based start-up that provides a city-mapping application for tourists visiting London, Paris and Rome. Such an app would be regarded as offering services to individuals in the EU because it will be used by data subjects in the EU (in this case London, Paris and Rome).
Offering of goods or services to data subjects in the EU
Another element is the assessment of whether the controller’s or processor’s conduct demonstrates its intention to ‘offer goods or services’ (to the individuals in the EU). This concept has been already addressed by EU law and case law and includes the provision of information society services. Payment for such goods or services is not a condition that triggers GDPR applicability. In addition to the examples provided in Recital 23 of the GDPR, the EDPB states that the following circumstances should also be taken into consideration:
- The EU or at least one EU country is named with reference to the good or service offered.
- The data controller or processor pays a search engine operator for an Internet-referencing service in order to facilitate access to its site for consumers in the EU.
- The controller or processor has launched marketing and advertisement campaigns directed at an EU country audience.
- The activity is international in nature, e.g. certain tourist offers.
- Dedicated addresses or phone numbers from an EU country are mentioned.
- A top-level domain name is used that is different than that of the third country in which the controller or processor is established, for example ‘.de’ or neutral top-level domain names such as ‘.eu’.
- Travel instructions from one or more EU countries to the place of service provision are given.
- International clientele consisting of customers located in various EU Member States are mentioned, in particular displaying written accounts from such customers.
- A language or currency is used that is not generally used in the merchant’s country, especially a language or currency of one or more EU countries.
- The data controller offers the delivery of goods in the EU.
A single point from the list above may not necessarily be a sufficient indication of the intention to establish a commercial relationship, but the combination of several points must be analysed and decided on a case-by-case basis.
Monitoring of data subjects’ behaviour
Monitoring the behaviour of individuals in the EU falls under the scope of the GDPR if it relates to a data subject in the EU and if it takes place within the territory of the EU.
Although ‘monitoring’ implies that a controller has a specific purpose for collecting and using the behavioural data, the EDPB does not automatically regard online data collection or analysis as monitoring. An assessment of the controller’s purpose, a subsequent behavioural analysis and profiling techniques determine whether or not ‘monitoring’ has occurred.
Examples of monitoring are behavioural advertisement, geo-localization activities, online tracking through cookies or other tracking techniques, personalised diet and health analytics services online, CCTV, market surveys and regular reporting on an individual’s health.
When the GDPR does not apply?
However, mere data processing of individuals in the EU will not suffice to impose GDPR obligations. There must also be an element of ‘targeting’. For example, it will not apply to a U.S. citizen who downloads an app during his holidays in Italy (provided that the app is only for the U.S. market).
Since GDPR application is also not obligatory due to EU citizenship, targeting EU citizens in a non-EU country is excluded from its scope. The EDPB gives the example of a Taiwanese bank with customers who are German citizens and Taiwanese residents. Since the bank is active solely in Taiwan and its activities are not geared toward the EU market, the bank is not subject to the provisions of the GDPR with respect to these activities.
The GDPR also does not apply where a non-EU company processes data solely for HR purposes (e.g. HR management or salary payment). This is because the respective HR processing does not occur in the context of offering goods or services.
Online collection or analysis of the personal data of individuals in the EU is also not automatically considered monitoring. It will always be necessary to consider the processing purpose, profiling techniques and any subsequent analysis.
Additional regulations for non-EU businesses
The one-stop-shop mechanism allows companies in the EU to work primarily with one supervisory authority from the same country in which the main establishment of that company is based. The draft Guidelines clearly state that non-EU controllers and processors cannot benefit from the one-stop-shop mechanism.
Compliance with the domestic provisions of EU countries
Many organisations are not aware of the fact that, in addition to the GDPR, they are also often obliged to comply with the national data protection laws of particular EU Member States. Most differences in domestic legislation pertain to the following areas: children’s age for valid consent (Art. 8), special categories of data (Art. 9), restrictions of the data subjects’ rights (Art. 23), freedom of expression and information, public access to official documents, national identification number, employment context, processing for archiving purposes in the public interest, scientific or historical research or statistical purposes, secrecy, churches and religious affiliation.
Designation of the EU representative
Private entities subject to Art. 3(2) GDPR must designate an EU representative, unless exempted by the following circumstances: the processing is occasional, does not include sensitive data on a large scale and is unlikely to result in an infringement of the rights and freedoms of individuals.
Additional guidance for non-EU companies regarding GDPR compliance was clearly necessary. By issuing the draft Guidelines, the EDPB addressed many relevant issues. We strongly advise that organisations without an EU presence keep an eye on any future development of these draft Guidelines, as they are a key source for correctly interpreting the GDPR’s territorial scope.