We continue the series ‘Privacy basics’ with bite-sized articles on the core concepts of privacy and data protection. The purpose of this blog series is to make privacy as simple as possible by explaining some of the most important core concepts.
With each new blog article, we introduce privacy elements with pragmatic examples that will help you better understand how privacy and data protection can be implemented in your business.
Today we will address the territorial scope of the General Data Protection Regulation 2016/679 (GDPR or the Regulation), more precisely to whom it does apply.
Article 3 of the GDPR covers the issue of its applicability and it also reveals the intention to ensure comprehensive protection of the European data in the context of worldwide data flows. That being said, a major aspect of the Regulation is its broad applicability to both European and non-European companies.
However, time has proven that GDPR is not only a mechanism which protects the rights of individuals in the EU; on the contrary, it became a ‘golden standard’ used on a global level, that recently inspired other countries and regions, from the US to the Middle East, to adopt ‘GDPR-inspired’ laws.
Surrounded by this legal environment applicable to entities worldwide, many organizations might find themselves asking:
‘Do I have to comply with the GDPR?’
The answer to this question is affirmative if an organization can find itself in one of the following scenarios:
- – it has an establishment in the EU/EEA, or,
- – individuals in the EU/EEA are being targeted.
The ‘establishment’ criterion
The ‘establishment’ criterion comes as no surprise and may seem quite simple to understand: GDPR applies to companies that are established in the EU/EEA. However, if one takes a closer look at the legal provision, they can reveal other less obvious scenarios which trigger the applicability of GDPR.
If an organization processes personal data through an establishment in the EU/EEA, then it falls under the scope of GDPR, regardless of whether the actual processing takes place. What makes the situation even more interesting is the fact that the ‘establishment’ does not necessarily mean a company’s headquarters but refers to a real and effective activity of a company that takes place throughout stable arrangements such as a subsidiary or representation.
For example, a company’s subsidiary located on the territory of an EU member state that processes personal data in the context of its activities, can be considered an establishment in the EU. The same judgment could even apply for a single remote employee located in the EU. On the other hand, only having a website which is accessible to individuals in the EU, is not sufficient by itself to be considered an ‘establishment’ in the EU.
The data processing shall be carried out in the context of the activities of that establishment. Usually, it is relevant if the specific establishment takes an active role in the data processing activity, such as collecting data. But even without an active role, when the relationship between the company located outside the EU/EEA and its establishment in the EU/EEA implies an inextricable link when processing personal data, this can trigger the applicability of the GDPR. Such an inextricable link could be reveled for example by the revenue raising impact which the local establishment has on the European market.
This may be the case for a non-EU organization that has a sales presence in the EU, such as a sales office or representative. Even if that office does not play an active role in processing personal data, it does have an inextricable link with the data processing and ultimately produces an increase in revenue.
The establishment criterion applies to both, organizations that are data controllers or data processors. Therefore, for the purpose of identifying the applicability of GDPR to organizations with an establishment in the EU/EEA, it is not relevant who determines the purposes and means of data processing, but each entity shall assess individually the applicability of the Regulation to its establishment. This also means that a processor located in the EU/EEA, processing data on behalf of a foreign controller, does not represent one of its establishments in a way that can trigger the applicability of the GDPR.
Another particularity is that GDPR rules apply to an EU/EEA establishment regardless of whether the processing takes place in the Union or not. In other words, the geographical location will be important only when assessing if the organization itself or any other of its business presence are located in the EU/EEA, and irrelevant with regard to the place where processing is carried out.
For example, a German software company that develops services used only by a Chinese manufacturer, will also have to align with the GDPR standards. While the processing activities take place in China, the processing is carried out in the context of the activities of the German company.
‘Targeting’ individuals in the EU/EEA
The second criterion, namely, when individuals in the EU/EEA are being ‘targeted’, determines the extraterritorial applicability of the GDPR to organizations located outside the EU/EEA. Such ‘targeting’ must relate to one of the following:
- – offering of goods or services, irrespective of whether a payment is required, or,
- – monitoring of individuals’ behavior in the EU/EEA.
One first aspect that must be taken into consideration when assessing the applicability of the GDPR to a company located outside of EU/EEA, is the location of the targeted individuals. The targeted individuals must be located in the EU/EEA at the moment when the relevant processing activity is conducted.
Location in this context does not depend on their nationality, residency, or any other legal aspects, but simply refers to the geographical location of the individuals to whom goods and services are offered or whose behavior is monitored.
When the condition of the location is met, and the ‘targeted’ individuals are in the Union, the next step is to check if any of the ‘targeting’ activities (offering goods or services, or monitoring behavior) is being performed.
Offering goods or services to individuals in the EU/EEA needs to be intentionally directed towards the European market. For example, GDPR shall not apply to a foreign company that offers services to individuals from Asia, services which are still accessible by those individuals when they are located in the EU/EEA. The same way, the applicability of GDPR is not triggered if the website of a company offering goods outside of the EU/EEA, is merely accessible inside the Union.
However, if a Chinese online shop is available in more European languages and has several clients which place orders from European countries, then GDPR will be applicable. Even more so, it will become the case when shipping to EU/EEA is actively offered as an option, or EURO can be set as a standard currency. The same way GDPR will apply to an American company that offers free services of cloud storage in EU/EEA.
The European Data Protection Board’s guidelines 3/2018 suggested the following facts that can be considered when goods or services are offered to individuals in the EU/EEA:
- – The EU or at least one member state is designated by name with reference to the good or service offered;
- – The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- – The international nature of the activity at issue, such as certain tourist activities;
- – The mention of dedicated addresses or phone numbers to be reached from an EU country;
- – The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- – The description of travel instructions from one or more other EU member states to the place where the service is provided;
- – The mention of an international clientele composed of customers domiciled in various EU member states, in particular by presentation of accounts written by such customers;
- – The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
- – The data controller offers the delivery of goods in EU Member States.
To identify whether an activity qualifies as monitoring the behavior of individuals in the EU/EEA, organizations shall refer to the purpose of the collection and reuse of data for subsequent behavioral analysis or profiling. A relevant aspect of this activity is the ability to perform automated analysis or predicting behavior, movements, personal preferences, performance etc.
The monitoring can be realized through various activities from cookies on the internet and behavioral advertisement, to smart devices and even CCTV surveillance. Having such a wide scope for monitoring behavior, organizations should evaluate the current means used to analyze customers, employees, or any other individuals both online and offline.
The criterion of ‘targeting’ individuals in the EU/EEA applies again to both, controllers, and processors. Moreover, if a processor located outside of the EU/EEA is involved in processing activities related to the ‘targeting’ of individuals in the EU/EEA it shall also fall within the scope of GDPR.
Overall, one ambition of the GDPR is its extraterritorial applicability. Together with this, companies established outside of the EU/EEA with minimal activity in the Union may fall within the scope of the GDPR and are required to comply with its provisions.
One of the particular provisions to ensure compliance for a company outside the EU/EEA is the obligation to designate a representative in the EU/EEA that will facilitate the communication between supervisory authorities and the organization, and will address data subject requests originated in the EU/EEA. At White Label, we offer these services, and we can be your EU/EEA representative!
Finally, we can admit that the applicability of GDPR spreads much further than the European borders, being linked more to the European processing activities rather than factual location of the organizations. This makes GDPR an international tool that enables common standards in the context of international data flows. However, it can become difficult for a company which is not familiar with the European privacy landscape to be aware of its compliance obligations with the GDPR.
If you have doubts on whether the company you represent might fall within the scope of GDPR, or you know that you should comply with the Regulation and need a representative in the EU/EEA, do not hesitate to contact us. We are happy to chat and answer your questions!
Ending note: this blog article was written following the GDPR interpretation given by the European Data Protection Board’s guidelines 3/2018 on the territorial scope of the GDPR.