Achieving GDPR Compliance for Non EU Organisations Explained

Achieving GDPR Compliance for Non- EU Organisations Explained

GDPR is a Challenge for any International Organisation

As  25th May 2018 was coming to a close  the EDPB (European Data Protection Board) published It’s Guidance  on the GDPR Article 3 (territorial scope) The  main objective was  to clarify when the GDPR regulation applies to your business even if your presence on the EU market is limited or negligible

The GDPR regulation applies to your business in two cases:

  1. when a controller or a processor is “established” in the EU and the processing takes place in connection with activities of this establishment – rule of “EU Establishment”, or
  2. a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of “Targeting”.   

EU Establishment Explained

The term “establishment” is understood very well and does not require the formal registration of an entity in the EU. Thus, apart from operational branches and any subsidiaries of a non-EU entity, the term “establishment” is also included in any fixed  arrangement that an organisation may have within one of the EU member states. In one example even locating just one employee within an EU member state to facilitate business can alter the application of the GDPR to that organisation. The key area of focus is that there must be a connection between the data processing activities of the “establishment”.  Therefore the location of where the data processing takes place whether inside or outside of the European Union does not matter. Mapping your organisations operations and data flows can help determine the outcome.

Let’s look at some examples in practice?

GDPR will apply to       EXAMPLES
organisations which are located within the EU;International organisation having a branch and office located in Amsterdam;
organisations that has a representative positioned in the EU in order to facilitate EU business operations;Brazilian based gaming platform  operator which placed an marketing employee in Paris in order to strategize  marketing efforts;
organisations located in the EU even if they are  not providing services to the EU market;organisation located in Belgium but providing a taxi booking application only to customers in Japan, Singapore and Thailand;Manufacturing  organisation whose headquarters are  in Stockholm that has all its processing operations in Tokyo.
GDPR will NOT be applicable to  EXAMPLES
International non-EU companies which only have websites available from the EU;                                                                                                   a travel company in Australia offering package holidays in English, Spanish and German if it has no stable arrangements in the EU and is not targeting an EU audience;
non-EU companies who are classed as (controllers) under the GDPR using EU data processors,Argentinian  retail company (controller) signs a contract covering the processing of its clients’ personal data with a data processor established in Ireland.

Targeting Rule explained

Independently, the GDPR regulation applies to the processing of personal data of all data subjects who are located in the EU (no matter what their citizenship may be classified as) if an International  non-EU controller or processor proposes to specifically target individuals in one of the 28 EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, inspected or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies, pixels etc).

What does it mean in practice?

GDPR will be apply toEXAMPLES
International non EU organisations that offer delivery to one of the 28 EU Member States,                                                                                                                                                                                      a online eCommerce site  managed and Located in Mexico offering services of creating and delivering modern acrylic house number signs to customers in Austria and Spain;
organisations which launch advertising campaigns directed at an EU audience,US start-up, without any presence in any of the EU member states, providing a travel  guide mobile application for Amsterdam, Paris and Munich for the purpose of delivering target ads for places of interest, restaurants and hotels;
GDPR will NOT be applicable toEXAMPLES
International non-EU companies which offer services not directed at an EU market,US local news mobile app which may be downloaded and installed by a US citizen visiting Europe; or a bank in Singapore that opens an account for a UK citizen;
non-EU entities that hire EU nationalsa private company based in the Bahamas  that processes personal data of its French and Italian employees.

Wrap up

Although the Guidance indeed sheds light on the application of the GDPR, there still remains much uncertainty in a number of real life cases, e.g., Therefore, we always recommend a full risk based assessment for International  non-EU based companies when processing data of individuals located in the EU are monitored, inspected or profiled for the purposes of behavioural advertisement, Geo-localisation or online tracking (e.g. cookies, pixels etc).

The Relentless team deliver a broad range of GDPR services to International Organisations. We also cover data protection laws across the globe to ensure global compliance to international data processing law.

Relentless GDPR   24/7 Platform is now launched. GDPR 24/7 is a comprehensive portal with 11 modules  to provide your organisation to achieve and maintain  compliance. Try it FREE for 14 Days

Sharing is caring!

error: Content is protected !!