In mid-November the European Data Protection Board (EDPB) issued Guidelines on the territorial scope of the General Data Protection Regulation (GDPR) subject to public consultation. The aim of the Guidelines is to clarify when GDPR applies to your business even if your presence on the EU market is limited or close to zero.

GDPR applies to your business in two cases:

  1. when a controller or a processor is "established" in the EU and the processing takes place in connection with activities of this establishment – rule of "EU Establishment", or
  2. a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of "Targeting".   

EU Establishment Rule

The term "establishment" is understood very broadly and does not require formal registration of an entity in the EU. Hence, apart from branches and subsidiaries of a non-EU entity, the term "establishment" also includes any stable arrangement that a company may have within the EU. In some circumstances even placing one employee within the EU to facilitate business may trigger application of the GDPR. The key issue is that there must be a connection between the operations of the "establishment" and the use of personal data ‒ it doesn't matter if the processing operations take place in the EU or outside.

What does it mean in practice?

GDPR will be applicable to EXAMPLES
  • companies which are located in the EU;
  • US company having a branch and office located in Brussels;
  • companies which have a representative located in the EU in order to facilitate EU business activities;
  • China based e-commerce website operator which placed an employee in Berlin in order to implement marketing campaigns;
  • entities located in the EU even if not providing services on the EU market;
  • company located in France but providing a car sharing application only to customers in Morocco, Algeria and Tunisia;
  • pharmaceutical company located in Stockholm that has all its processing operations in Singapore.


GDPR will NOT be applicable to   EXAMPLES
  • non-EU companies which merely have websites available from the EU;                                                                                                   
  • a hotel chain in South Africa offering package deals in English, Spanish and French if it has no stable arrangements in the EU and is not targeting an EU audience;
  • non-EU companies (controllers) using EU processors,
  • Mexican retail company (controller) signs a contract covering the processing of its clients' personal data with a processor established in Spain.

Targeting Rule

Independently, the GDPR applies to the processing of personal data of all individuals who are located in the EU (regardless of their citizenship) if a non-EU controller or processor intends to specifically target individuals in EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, analyzed or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies).

What does it mean in practice?

GDPR will be applicable to EXAMPLES
  • non EU companies that offer delivery to EU Member States,                                                                                                                                                                                      
  • a website managed and based in Turkey offering services of creating and shipping personalized family photo albums to customers in the UK and France;
  • companies which launch advertising campaigns directed at an EU audience,
  • US start-up, without any presence in the EU, providing a city-mapping application for London, Paris and Rome in order to target ads for places to visit, restaurants and hotels;" US start-up, without any presence in the EU, providing a city-mapping application for London, Paris and Rome in order to target ads for places to visit, restaurants and hotels;


GDPR will NOT be applicable to EXAMPLES
  • non-EU companies which offer services not directed at an EU market,
  • US news application which may be downloaded by a US citizen visiting Europe; or a bank in Taiwan that opens an account for a German citizen;
  • non-EU entities that hire EU nationals
  • a private company based in Monaco that processes personal data of its French and Italian employees.

Conclusions

Although the Guidelines shed some light on the application of GDPR, uncertainty remains in a number of real life scenarios, e.g., it is unclear how to interpret the "indirect" offering of goods criterion or how to approach a "reversed transfer" of personal data when an EU processor retransfers personal data to a non-EU controller. Therefore, prudence and a risk based assessment are recommended for non-EU companies when processing data of individuals located in the EU.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.