With the entry into effect of the EU General Data Protection Regulation (GDPR) and its extraterritorial scope, many organisations not established in the EU have become increasingly anxious whether this Regulation would apply to them or not.
As an immediate market response, we have been witnessing a multitude of articles online with the attempt to clarify the applicability of the GDPR to companies outside the EU.
Some claim that GDPR would apply whenever there is processing of personal data related to EU citizens, others - to EU residents, or to any company that has a website accessible from the EU.
The truth is that none of the above is precise and that the GDPR does not say any of these.
Many read the GDPR as a straightforward text, while the GDPR is a legal text and like all legal texts, it should be read in light of the preparatory works, recitals, related guidance and case law. Don’t get stuck with the general meaning of the words in the Regulation as most of the time they have a specific legal definition or a way to be interpreted. Thus, what seems to be simple at first glance is actually more complex and subject to legal interpretation.
Consequently, some companies are misled in not implementing the GDPR, when they should or blocked their websites for EU markets in an attempt to escape the GDPR. Others implement it though not obliged (which in itself is not a bad thing).
I hope that this article will cast some clarity on the issue and would help companies find their way.
What is ‘extraterritorial scope’?
It means that the GDPR can potentially apply to organisations that have no physical establishment in the EU, but in a way have a reach to the EU territory (i.e. via a website targeting EU markets), under specific conditions justifying EU’s jurisdiction.
The article of the GDPR on the extraterritorial scope is article 3(2) of the GDPR reading as follows:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
When does the GDPR apply to companies not established in the EU?
The GDPR would apply to organisations not established in the EU when two cumulative conditions are present:
- Personal data relating to data subjects in the Union
- Processing activity relating to the offering of goods/services or the behavioural monitoring of people in the EU. This is known as the “Targeting Criterion”.
First condition: “data subjects in the Union” and what does it mean?
“Data subjects” mean individuals to whom the personal data processed pertains. This could mean any individual whatever their nationality or place of residence is (as per recitals 2 and 14 of the GDPR). Vice versa, the mere fact that an organisation is processing personal data of an individual who is an EU citizen located outside of the EU is not likely to trigger by itself the applicability of the GDPR.
In other words, the important criterion is not the legal status of the individual but its location in the territory of the EU at the moment when the processing activity takes places.
Looking at this criterion alone is insufficient to determine whether the GDPR applies or not and if it is taken as the only criterion it could lead to incorrect interpretations and justify the applicability of the GDPR to situations where it is not likely to apply. For example, it would justify applying the GDPR to a start-up established in the UAE, providing a mobile app platform for cleaning services directed exclusively to the UAE any time when an individual travels to the EU and downloads this app from the territory of the EU. In this case, the GDPR is not likely to apply given that the start-up does not target people in the EU.
Second condition: the “Targeting Criterion” and what does it mean?
For the GDPR to apply to a company not established in the Union, it is necessary that the company processes personal data in direct or indirect relation to the offering of a good/service (with or without payment) to people in the EU or to the monitoring of the behaviour of people in the EU.
When is a company considered to offer goods/services of people in the EU? We would look at the intention of establishing commercial relations with consumers in the EU. In other words, we would look at the factors allowing to ascertain that you are “targeting” EU markets.
While the EU interprets the notion of behavioural monitoring broadly (i.e. behavioural advertisement, geo-localisation for marketing purposes, tracking via cookies), any online collection of personal data of people in the EU would not be automatically considered as monitoring. It would depend on the specific purpose and subsequent use of the data.
What are the factors showing that you are ” targeting people in the EU”?
Each situation should be analysed in concreto on a case-by-case basis. Generally the European Data Protection Board (EDPB) considers factors such as paying a search engine operator for internet referencing to facilitate access to website from EU consumers, making marketing and advertisement campaigns directed to the EU, the international nature of an activity such as “tourism”, or specifying service delivery in the EU, as relevant to ascertain that a company “targets” EU markets.
For example, a hotel chain established in Turkey has its website translated in English, allows online bookings and payment in Euro currency and has launched marketing advertisement campaigns directed to Bulgaria and Greece, shows the intention of the provider to offer services to people in the EU. The Turkish provider processes personal data in relation to a service targeting people in the EU; hence the GDPR in principle applies.
What is not considered “targeting people in the EU”?
As per recital 23 of the GDPR, the mere accessibility of a website in the EU is not sufficient to ascertain the intention that a company envisages to target EU markets.
For example, a website owned and managed by a service provider in China allowing to book car sharing only in China and payment is allowed only in Chinese Yuan, has been accessed by people in the EU, is not likely to trigger the applicability of the GDPR on its own as there are no sufficient factors to ascertain that the Chinese provider is targeting the EU.
What are the consequences for your organisation?
Organisations (both controllers and processors) that have no establishment in the EU but fall under the scope of GDPR because of art.3 (2) should be aware of the following:
- They will need to comply with the requirements of the GDPR; and
- They will need to designate a representative in one of the Member States where data subjects’ personal data are processed (art. 27 of the GDPR). The mandate of the representative is to be addressed in addition to or instead of the company by the supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
Do’s and don’ts
Understanding whether the GDPR applies to your company or not is your starting point. You might expose yourself to an important compliance risk if you would assume that the GDPR does not apply to you when it does. It is highly advisable to:
- Contact an experienced privacy professional with proven expertise in the domain who would be able to correctly interpret the applicable rules and analyse all relevant factors leading to determine whether the GDPR applies or not.
- Do a data mapping to understand what personal data you process, from where it originates, where it is stored and to what data subjects it pertains. We cannot assess what we do not know, so it is crucial to have a clear view on your data flows. This would greatly help for the assessment of the applicability of the GDPR.
- Question yourself if you envisage offering goods/services or performing behavioural monitoring in the EU market?
- Do not try to assess whether the GDPR applies to you only on information found online, as it can be misleading. Not specialised professionals on the matter might not be that well acquainted with the EU case law, guidance and correct interpretation of the GDPR.
- Do not get stuck with the general meaning of the wording in the GDPR. Legal wording even when it seems common language often does not have a common meaning.
(1) Recital 23 of the GDPR and Joined cases C-585/08 and C-144/09