In mid-November the European Data Protection Board (EDPB) issued Guidelines on the territorial scope of the General Data Protection Regulation (GDPR) subject to public consultation. The aim of the Guidelines is to clarify when GDPR applies to your business even if your presence on the EU market is limited or close to zero.
GDPR applies to your business in two cases:
- when a controller or a processor is "established" in the EU and the processing takes place in connection with activities of this establishment – rule of "EU Establishment", or
- a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of "Targeting".
EU Establishment Rule
The term "establishment" is understood very broadly and does not require formal registration of an entity in the EU. Hence, apart from branches and subsidiaries of a non-EU entity, the term "establishment" also includes any stable arrangement that a company may have within the EU. In some circumstances even placing one employee within the EU to facilitate business may trigger application of the GDPR. The key issue is that there must be a connection between the operations of the "establishment" and the use of personal data ‒ it doesn't matter if the processing operations take place in the EU or outside.
What does it mean in practice?
GDPR will be applicable to | EXAMPLES |
---|---|
|
|
|
|
|
|
GDPR will NOT be applicable to | EXAMPLES |
---|---|
|
|
|
|
Targeting Rule
Independently, the GDPR applies to the processing of personal data of all individuals who are located in the EU (regardless of their citizenship) if a non-EU controller or processor intends to specifically target individuals in EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, analyzed or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies).
What does it mean in practice?
GDPR will be applicable to | EXAMPLES |
---|---|
|
|
|
|
GDPR will NOT be applicable to | EXAMPLES |
---|---|
|
|
|
|
Conclusions
Although the Guidelines shed some light on the application of GDPR, uncertainty remains in a number of real life scenarios, e.g., it is unclear how to interpret the "indirect" offering of goods criterion or how to approach a "reversed transfer" of personal data when an EU processor retransfers personal data to a non-EU controller. Therefore, prudence and a risk based assessment are recommended for non-EU companies when processing data of individuals located in the EU.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.