Framework 

The European Data Protection Board, the independent EU body in charge of clarifying data protection laws and ensuring their consistent interpretation,  (the ‘Board’) has released guidelines clarifying the territorial scope of the General Data Protection Regulation (‘GDPR’).

As you may already know, the GDPR may be apply to organisations operating outside the EU if there is:

• processing of personal data by the non-EU controller/processor carried out in the context of the activities of the controller/processor being established in the EU, regardless of whether the processing takes place in the EU or not (‘Establishment Test’);
• processing of personal data of data subjects located in the EU by a controller or  processor that is not established in the EU, if processing activities relate to offering goods or services (irrespective of whether a payment is required), to data subjects in the EU; or monitoring of their behaviour to the extent their behaviour takes place within the EU (‘Targeting Test’).

The criteria above require thoughtful analysis of both legal concepts (e.g. what establishment under the EU law means) and not purely legal concepts (e.g. what factors indicate that processing is carried out in the context of a local establishment’s activities).

The Board presented its vision on a number of questions being raised by the companies concerned (especially in non-EU jurisdictions). Below, you will find a brief summary of the guidelines provided by the Board for public consultation, which closed on 18 January 2019 (please note the guidelines may be changed later in the light of feedback received in the course of public consultations). We hope that it will help you to find answers you are looking for, or at least be a good starting point to study the guidelines in depth.

Targeting Test 

Key questions to be analysed within the Targeting Test 

Companies with no establishment in the EU may still be subject to the GDPR. The Board suggests a twofold exercise to determine whether GDPR will apply. It implies analysis of two questions:

• Does the data processing relate to personal data of data subjects located in the EU?
• Does the data processing relate to offering goods or services or monitoring behaviour of these data subjects?

Data subject located in the EU 

This test does not require an assessment of nationality, legal status or place of residence.

Data subjects must be located in the EU at the moment when good or service is offered or when the behaviour is monitored.

The Board gives the following example:

A company established in the US, without any presence in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, once they start using it in the city they visit, in order to offer targeted advertisements.

The application is available for tourists visiting, amongst others, Rome Paris, and London. This processing falls within the scope of the GDPR, as the company is offering services to individuals in the EU.

If the app were exclusively directed at tourists (even if these tourists were EU citizens) in the US, the processing would not be subject to the GDPR.

The element of targeting is crucial; the mere fact that the company processes data of individuals in the EU does not trigger application of the GDPR.

Another example given by the Board:

A bank in Taiwan has customers that reside in Taiwan, but hold German citizenship. The bank is active only in Taiwan; its activities do not target the EU market. Processing of these German customer data subjects is not subject to the GDPR, in this case.

Targeting criteria 

The Board gave some examples of factors that will indicate that a non-EU company has the intention to offer services or goods to data subjects located in the EU. These include:

• the EU, or at least one Member State is designated by name with reference to the good or service offered;
• the international nature of the non-EU organisation’s activity (e.g. tourism);
• the mention of dedicated addresses or telephone numbers to be reached from the EU country;
• the use of a top-level domain name, other than that of the third country in which non-EU controller or processor is established;
• payments for Internet referencing services in order to facilitate access to service by consumers in the EU;
• the use of a language, or a currency, other than that generally used in the trader’s country;
• marketing campaigns directed at an EU audience;
• the offer of delivery of goods in the EU.

Please bear in mind that mere accessibility of the website, email address or other contact details are not sufficient evidence to demonstrate the intention of offering goods or services to data subjects in the EU.

Monitoring criteria 

Monitoring implies that there is a specific purpose or purposes for use of the data collected in the course of monitoring of data subjects’ behaviour. The behaviour monitored must first relate to a data subject in the EU and, as a cumulative condition, the monitored behaviour must take place within the territory of the EU.

The Board gives the following examples:

• behavioural advertisements;
• geo-localisation activities, in particular for marketing purposes;
• online tracking, through the use of cookies, or other tracking techniques (such as fingerprinting);
• market surveys and other behavioural studies based on individual profiles.