GDPR is a Challenge for any International Organisation
As 25th May 2018 was coming to a close the EDPB (European Data Protection Board) published It’s Guidance on the GDPR Article 3 (territorial scope) The main objective was to clarify when the GDPR regulation applies to your business even if your presence on the EU market is limited or negligible
The GDPR regulation applies to your business in two cases:
- when a controller or a processor is “established” in the EU and the processing takes place in connection with activities of this establishment – rule of “EU Establishment”, or
- a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of “Targeting”.
EU Establishment Explained
The term “establishment” is understood very well and does not require the formal registration of an entity in the EU. Thus, apart from operational branches and any subsidiaries of a non-EU entity, the term “establishment” is also included in any fixed arrangement that an organisation may have within one of the EU member states. In one example even locating just one employee within an EU member state to facilitate business can alter the application of the GDPR to that organisation. The key area of focus is that there must be a connection between the data processing activities of the “establishment”. Therefore the location of where the data processing takes place whether inside or outside of the European Union does not matter. Mapping your organisations operations and data flows can help determine the outcome.
Let’s look at some examples in practice?
|GDPR will apply to||EXAMPLES|
|organisations which are located within the EU;||International organisation having a branch and office located in Amsterdam;|
|organisations that has a representative positioned in the EU in order to facilitate EU business operations;||Brazilian based gaming platform operator which placed an marketing employee in Paris in order to strategize marketing efforts;|
|organisations located in the EU even if they are not providing services to the EU market;||organisation located in Belgium but providing a taxi booking application only to customers in Japan, Singapore and Thailand;Manufacturing organisation whose headquarters are in Stockholm that has all its processing operations in Tokyo.|
|GDPR will NOT be applicable to||EXAMPLES|
|International non-EU companies which only have websites available from the EU;||a travel company in Australia offering package holidays in English, Spanish and German if it has no stable arrangements in the EU and is not targeting an EU audience;|
|non-EU companies who are classed as (controllers) under the GDPR using EU data processors,||Argentinian retail company (controller) signs a contract covering the processing of its clients’ personal data with a data processor established in Ireland.|
Targeting Rule explained
Independently, the GDPR regulation applies to the processing of personal data of all data subjects who are located in the EU (no matter what their citizenship may be classified as) if an International non-EU controller or processor proposes to specifically target individuals in one of the 28 EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, inspected or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies, pixels etc).
What does it mean in practice?
|GDPR will be apply to||EXAMPLES|
|International non EU organisations that offer delivery to one of the 28 EU Member States,||a online eCommerce site managed and Located in Mexico offering services of creating and delivering modern acrylic house number signs to customers in Austria and Spain;|
|organisations which launch advertising campaigns directed at an EU audience,||US start-up, without any presence in any of the EU member states, providing a travel guide mobile application for Amsterdam, Paris and Munich for the purpose of delivering target ads for places of interest, restaurants and hotels;|
|GDPR will NOT be applicable to||EXAMPLES|
|International non-EU companies which offer services not directed at an EU market,||US local news mobile app which may be downloaded and installed by a US citizen visiting Europe; or a bank in Singapore that opens an account for a UK citizen;|
|non-EU entities that hire EU nationals||a private company based in the Bahamas that processes personal data of its French and Italian employees.|
Although the Guidance indeed sheds light on the application of the GDPR, there still remains much uncertainty in a number of real life cases, e.g., Therefore, we always recommend a full risk based assessment for International non-EU based companies when processing data of individuals located in the EU are monitored, inspected or profiled for the purposes of behavioural advertisement, Geo-localisation or online tracking (e.g. cookies, pixels etc).
The Relentless team deliver a broad range of GDPR services to International Organisations. We also cover data protection laws across the globe to ensure global compliance to international data processing law.