The European Union (EU) General Data Protection Regulation (GDPR) does not only apply to businesses in the EU. Businesses from all over the world may fall within its scope when processing personal data coming from the EU. Our article will assist in the determination of whether your business is subject to the GDPR.
Background
The GDPR aims to ensure comprehensive protection of EU data subjects’ rights and to create a level playing field for all businesses that operate in the European market. Non-EU businesses frequently have trouble determining whether the GDPR applies to them or not, and whether they must thus comply with a number of the European data protection obligations. Among these obligations are the obligation to keep records of processing activities, designate an EU representative pursuant to Art. 27 GDPR and grant data subject access to their data.
The European Data Protection Board (EDPB) clarified the scope of the GDPR for EU and non-EU Businesses in its Guidelines 03/2018 on the territorial scope of the GDPR. The Guidelines also provide additional details regarding the role of the EU representative.
When do the GDPR provisions apply to non-EU businesses?
The applicability of the GDPR to a non-EU organisation is determined by the so-called ‘targeting’ criterion. It examines the processing of personal data of data subjects in the EU, and whether the processing activities are related to the following:
- offering them goods or services (these may be free of charge), or
- monitoring their behaviour within the EU.
The EDPB decided to elaborate on these criterions in order to dispel some of the most common doubts:
Data subjects in the European Union
The GDPR applies to processing the data of individuals who are physically in the EU. This is not limited to EU citizenship, residence or other legal status. Generally, the status of being in the EU should be assessed at the moment when goods or services are offered, or when the behaviour is being monitored.
The EDPB gives the example of a U.S. based start-up that provides a city-mapping application for tourists visiting London, Paris and Rome. Such an app would be regarded as offering services to individuals in the EU because it will be used by data subjects who are physically in the EU (in this case in the year 2018 London, Paris and Rome) at the time.
Offering of goods or services to data subjects in the EU
Another element is the assessment of whether the controller’s or processor’s conduct demonstrates its intention to ‘offer goods or services’ (to the individuals in the EU). This concept has been already addressed by EU law and case law and includes the provision of information society services. Payment for such goods or services is not a condition that triggers the applicability of the GDPR. In addition to the examples provided in Recital 23 of the GDPR, the EDPB states that the following circumstances should also be taken into consideration:
- The EU or at least one EU Member State is named with reference to the good or service offered.
- The data controller or processor pays a search engine operator for a web-referencing service, in order to facilitate access to its website for consumers in the EU.
- The controller or processor has launched marketing and advertisement campaigns directed at an EU Member State audience.
- The activity is international in nature, e.g., certain tourist offers.
- Dedicated addresses or phone numbers for an EU Member State are mentioned.
- A top-level domain name is used that is different than that of the third country in which the controller or processor is established, for example ‘.de’, ‘co.uk’, ‘.fr’ or neutral top-level domain names such as ‘.eu’.
- Travel instructions from one or more EU Member States to the place of service provision are given.
- International clientele consisting of customers located in various EU Member States are mentioned, in particular displaying written accounts from such customers.
- A language or currency is used that is not generally used in the service provider’s country, especially a language or currency of one or more EU Member States.
- The data controller offers the delivery of goods in the EU.
A single point from the list above may not necessarily be a sufficient indication of the intention to establish a commercial relationship. However, if several of these benchmarks apply to the (planned) processing, it should be analysed further on a case-by-case basis to what extent there is an economic relationship that makes the GDPR applicable.
Monitoring of data subjects’ behaviour
Monitoring the behaviour of individuals in the EU falls under the scope of the GDPR, if such monitoring relates to a data subject in the EU.
Although ‘monitoring’ implies that a controller has a specific purpose for collecting and using the behavioural data, the EDPB does not automatically regard online data collection or analysis as monitoring. An assessment of the controller’s purpose, a subsequent behavioural analysis and profiling techniques determine whether or not ‘monitoring’ has occurred.
Examples of monitoring are behavioural advertisement, geo-localization activities, online tracking through cookies or other tracking techniques, personalised diet and health analytics services online, CCTV, market surveys and regular reporting on an individual’s health.
When does the GDPR not apply?
Mere data processing of individuals in the EU will not suffice to impose GDPR obligations. There must also be an element of ‘targeting’. For example, it will not apply to an U.S. citizen who downloads an app during his holidays in Italy (provided that the app is only for the U.S. market).
Since GDPR application is also not based upon EU citizenship, targeting EU citizens in a non-EU country is excluded from its scope. The EDPB gives the example of a Taiwanese bank with customers who are German citizens and Taiwanese residents. Since the bank is active solely in Taiwan and its activities are not geared toward the European market, the bank is not subject to the provisions of the GDPR with respect to these activities.
The GDPR also does not apply where a non-EU company processes data solely for HR purposes (e.g., HR management or salary payment). This is because the respective HR processing does not occur in the context of offering goods or services.
Online collection or analysis of the personal data of individuals in the EU is also not automatically considered monitoring. It will always be necessary to consider the processing purpose, profiling techniques and any subsequent analysis.
Additional regulations for non-EU businesses
No one-stop-shop
The one-stop-shop mechanism allows companies in the EU to work primarily with one supervisory authority from the same country in which the main establishment of that company is based. The draft Guidelines clearly state that non-EU controllers and processors cannot benefit from the one-stop-shop mechanism.
Compliance with the domestic provisions of EU Member States
Many organisations are not aware of the fact that, in addition to the GDPR, they are also often obliged to comply with the national data protection laws of particular EU Member States. Most differences in domestic legislation pertain to the following areas:
- children’s age for valid consent (Art. 8),
- special categories of data (Art. 9),
- restrictions of the data subjects’ rights (Art. 23),
- freedom of expression and information,
- public access to official documents,
- national identification number,
- employment context,
- processing for archiving purposes in the public interest,
- scientific or historical research or statistical purposes,
- secrecy,
- churches and religious affiliation.
Designation of an EU Representative
Private entities subject to Art. 3(2) GDPR must designate an EU representative, unless exempted by the following circumstances:
- the processing is occasional,
- does not include sensitive data on a large scale and
- is unlikely to result in an infringement of the rights and freedoms of individuals.
Unfortunately, the EDPB did not attempt to clarify WP29’s interpretation of ‘occasional’ as meaning ‘not carried out regularly and occurring outside the regular course of business or activity’. Thus, the majority of businesses will continue to be subject to this obligation.
It is important to note that the failure to designate an EU representative constitutes a breach of the GDPR. The contact details of the representative must be mentioned in the privacy policy, thus non-compliance with this obligation can be easily detected by the authorities.
Steps to take by non-EU businesses
The EDPB guideline provides helpful advice and an interpretation of Art. 3 GDPR. Non-EU businesses should consider those criteria when they plan to process, or already process, personal data of data subjects in the EU. Non-EU businesses must establish whether they need to comply with the regulations of the GDPR or not.
If you are a non-EU business, you should first map your processing activities of personal data and then check the criteria listed above on a case-by-case, i.e., per processing activity, to find out if you fulfil the ‘targeting’ criterion.
In this analysis, it is important to consider the GDPR’s definition of processing. Art. 4 No. 2 GDPR includes, in addition to the ‘typical’ processing operations of collecting, recording, modifying and altering, also processing operations such as organising, storing or erasing. If such processing operations also target persons in the EU, even a mere storage of data may require compliance with the GDPR and possibly the appointment of an EU representative.
If you are unsure if your activities qualify as ‘targeting’ data subjects in the EU our specialists are qualified to provide guidance and clear up any uncertainties.