The European Data Protection Board, the independent EU body in charge of clarifying data protection laws and ensuring their consistent interpretation, (the ‘Board’) has released guidelines clarifying the territorial scope of the General Data Protection Regulation (‘GDPR’).
As you may already know, the GDPR may be apply to organisations operating outside the EU if there is:
The criteria above require thoughtful analysis of both legal concepts (e.g. what establishment under the EU law means) and not purely legal concepts (e.g. what factors indicate that processing is carried out in the context of a local establishment’s activities).
The Board presented its vision on a number of questions being raised by the companies concerned (especially in non-EU jurisdictions). Below, you will find a brief summary of the guidelines provided by the Board for public consultation, which closed on 18 January 2019 (please note the guidelines may be changed later in the light of feedback received in the course of public consultations). We hope that it will help you to find answers you are looking for, or at least be a good starting point to study the guidelines in depth.
Key questions to be analysed within the Targeting Test
Companies with no establishment in the EU may still be subject to the GDPR. The Board suggests a twofold exercise to determine whether GDPR will apply. It implies analysis of two questions:
Data subject located in the EU
This test does not require an assessment of nationality, legal status or place of residence.
Data subjects must be located in the EU at the moment when good or service is offered or when the behaviour is monitored.
The Board gives the following example:
A company established in the US, without any presence in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, once they start using it in the city they visit, in order to offer targeted advertisements.
The application is available for tourists visiting, amongst others, Rome Paris, and London. This processing falls within the scope of the GDPR, as the company is offering services to individuals in the EU.
If the app were exclusively directed at tourists (even if these tourists were EU citizens) in the US, the processing would not be subject to the GDPR.
The element of targeting is crucial; the mere fact that the company processes data of individuals in the EU does not trigger application of the GDPR.
Another example given by the Board:
A bank in Taiwan has customers that reside in Taiwan, but hold German citizenship. The bank is active only in Taiwan; its activities do not target the EU market. Processing of these German customer data subjects is not subject to the GDPR, in this case.
The Board gave some examples of factors that will indicate that a non-EU company has the intention to offer services or goods to data subjects located in the EU. These include:
Please bear in mind that mere accessibility of the website, email address or other contact details are not sufficient evidence to demonstrate the intention of offering goods or services to data subjects in the EU.
Monitoring implies that there is a specific purpose or purposes for use of the data collected in the course of monitoring of data subjects’ behaviour. The behaviour monitored must first relate to a data subject in the EU and, as a cumulative condition, the monitored behaviour must take place within the territory of the EU.
The Board gives the following examples: