GDPR - Global coverage

Dentons
Contact

Dentons

In mid-November the European Data Protection Board (EDPB) issued Guidelines on the territorial scope of the General Data Protection Regulation (GDPR) subject to public consultation. The aim of the Guidelines is to clarify when GDPR applies to your business even if your presence on the EU market is limited or close to zero.

GDPR applies to your business in two cases:

  1. when a controller or a processor is “established” in the EU and the processing takes place in connection with activities of this establishment – rule of “EU Establishment”, or
  2. a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of “Targeting”.   

EU Establishment Rule

The term “establishment” is understood very broadly and does not require formal registration of an entity in the EU. Hence, apart from branches and subsidiaries of a non-EU entity, the term “establishment” also includes any stable arrangement that a company may have within the EU. In some circumstances even placing one employee within the EU to facilitate business may trigger application of the GDPR. The key issue is that there must be a connection between the operations of the “establishment” and the use of personal data ‒ it doesn’t matter if the processing operations take place in the EU or outside.

What does it mean in practice?

GDPR will be applicable to EXAMPLES
  • companies which are located in the EU;
  • US company having a branch and office located in Brussels;
  • companies which have a representative located in the EU in order to facilitate EU business activities;
  • China based e-commerce website operator which placed an employee in Berlin in order to implement marketing campaigns;
  • entities located in the EU even if not providing services on the EU market;
  • company located in France but providing a car sharing application only to customers in Morocco, Algeria and Tunisia;
  • pharmaceutical company located in Stockholm that has all its processing operations in Singapore.
GDPR will NOT be applicable to   EXAMPLES
  • non-EU companies which merely have websites available from the EU;                                                                                                   
  • a hotel chain in South Africa offering package deals in English, Spanish and French if it has no stable arrangements in the EU and is not targeting an EU audience;
  • non-EU companies (controllers) using EU processors,
  • Mexican retail company (controller) signs a contract covering the processing of its clients’ personal data with a processor established in Spain.

Targeting Rule

Independently, the GDPR applies to the processing of personal data of all individuals who are located in the EU (regardless of their citizenship) if a non-EU controller or processor intends to specifically target individuals in EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, analyzed or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies).

What does it mean in practice?

GDPR will be applicable to EXAMPLES
  • non EU companies that offer delivery to EU Member States,                                                                                                                                                                                      
  • a website managed and based in Turkey offering services of creating and shipping personalized family photo albums to customers in the UK and France;
  • companies which launch advertising campaigns directed at an EU audience,
  • US start-up, without any presence in the EU, providing a city-mapping application for London, Paris and Rome in order to target ads for places to visit, restaurants and hotels;• US start-up, without any presence in the EU, providing a city-mapping application for London, Paris and Rome in order to target ads for places to visit, restaurants and hotels;
GDPR will NOT be applicable to EXAMPLES
  • non-EU companies which offer services not directed at an EU market,
  • US news application which may be downloaded by a US citizen visiting Europe; or a bank in Taiwan that opens an account for a German citizen;
  • non-EU entities that hire EU nationals
  • a private company based in Monaco that processes personal data of its French and Italian employees.

Conclusions

Although the Guidelines shed some light on the application of GDPR, uncertainty remains in a number of real life scenarios, e.g., it is unclear how to interpret the “indirect” offering of goods criterion or how to approach a “reversed transfer” of personal data when an EU processor retransfers personal data to a non-EU controller. Therefore, prudence and a risk based assessment are recommended for non-EU companies when processing data of individuals located in the EU.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.