GDPR and Non-EU Companies — Where Is the Line Drawn?
Originally published at www.kentico.com.
Geographical implications and applicability seem to be gray areas for some. Where the borders of applicability lie for those companies based outside the EU can appear confusing. So, let’s clear away many of those doubts by addressing some of those key GDPR criteria affecting non-EU-based companies.
In this two-part mini GDPR series, we will talk about factors that must be taken into account based on geography, not just for the companies themselves, but also the ramifications for their businesses based on the places in which they carry out their business, either knowingly or otherwise. This ties in well with the fact that since we started our series on GDPR last month, we have received questions from readers seeking to clarify some of those international implications that GDPR raises.
So let’s jump to our first hypothetical scenario: If you are a US-based company but selling to EU companies, obviously, you fall under GDPR. But what about if you are US company but not selling to EU but collecting analytics data on EU located visitors? Please define the conditions that cause a company or their actions to fall under GDPR.
It is true that non-EU companies process personal data pursuant to their local data protection regulations. However, there are specific situations in which non-EU companies will have to comply with GDPR requirements. In the following paragraphs, we will go through the rules in GDPR, in particular, Article 3 of GDPR on the territorial scope, and explain these types of situations to you:
1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
According to case law, the term “establishment” should be interpreted broadly and flexibly. An organization is established if it exercises any real and effective activity — even a minimal one — through stable arrangements in the EU.
For example, if a company has a legal representative in the EU with a contact address or a bank account for the purposes of providing the company’s services, the data processing associated with the activities of this entity is subject to the requirements of GDPR. Another example is sales offices in the EU that promote or sell advertising or marketing targeting EU residents.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
2) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
It must be apparent that the organization envisages that activities will be directed to EU data subjects. Examples: intentional use of an EU language/currency, ability to place orders in that language and references to EU users or customers, payment for marketing activities directed at EU users, EU phone numbers, EU top level domain names, etc.
3) the monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union
In particular in online business, if you are monitoring the behavior of users that takes place within the EU, you have to comply with the requirements of GDPR. This affects the use of different types of web analytics tools, as well as tracking for personalization purposes. It applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not. On the other hand, the rule is also often interpreted in the way that the monitoring of EU citizens that are, at the moment of the website visit, located outside of the EU — this is not subject to GDPR.
4) If you have a contract with a client from within the EU or a client applying GDPR
This situation is for an outside-of-the-EU agency/company doing some work for your EU clients that includes personal data (email marketing, web analytics, data storage, etc.). In this situation, you are in the position of a data processor and the client is a data controller. This means your relationship should be governed by the data processing contract under Article 28 of the GDPR and you are allowed to do only what is in the contract and must implement all measures stated there. The data controller must comply with GDPR, therefore, the contract would require you to use such methods/measures that are in accordance with GDPR. Therefore, indirectly, you need to be able to comply with GDPR.
To be more specific, the contract between you and your EU client should stipulate, among other things, that the processor:
- processes the personal data only on documented instructions from the controller
- takes all measures for data security purposes
- taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of GDPR
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the processor
In conclusion, every non-EU client will have to evaluate the specific details of their data processing activities in the light of these requirements and decide on the necessary steps to take. It also means that those directly involved in the execution of them must be aware of their responsibilities, and how they fit into the grander scheme of things.
In preparation for the second part of the blog post, I would like to invite you to comment below on those topics that have been addressed in this article. Are there any areas that you would like me to go into further? As I was limited by space, maybe you feel I overlooked something that is important for you. Whatever your opinion or suggestions, you are very welcome to add your comments. I would love to hear from you so I can clear up any of those things you would like to focus on further.