The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a company has European employees is it subject to the GDPR?
Answer: Not necessarily.
The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”[1] Although the regulation does not offer a precise definition of what it means to be an “establishment,” it notes that establishment “implies the effective and real exercise of activity through stable arrangements.”[2] While the European Court of Justice has held that the "presence of only one representative [in a Member State] can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment,” it stopped short of holding that the presence of a representative or an employee always confers establishment jurisdiction.[3] To the contrary, if a company employs individuals in Europe, but those individuals are not responsible for processing personal data, there would be a strong argument that their employment does not create establishment jurisdiction.
The GDPR also purports to apply extraterritorially to companies that have no establishments in Europe, but “offer goods or services” to people that are in Europe. The European Data Protection Board has specifically rejected the proposition that a company that employs Europeans should be considered as “offer[ing] goods or services” to Europeans. According to the EDPB, human resource processing “does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behavior) and, as a consequence, is not subject to the provisions of the GDPR . . . .”[4]
[View source.]