By Odia Kagan
To view or download a PDF of this article, click on the image to the right.
GDPR aims to protect the integrity and privacy of data that identifies individuals by increasing transparency, improving accuracy, limiting collection and giving individuals expanded rights concerning their data. It also carries significant fines for violations.
In an effort to clarify to whom the law applies, The European Data Protection Board (EDPB) has issued guidelines on the territorial scope of GDPR.
What do they say? For one thing, even entities with no physical presence, (or “establishment”) in the EU may be subject to some of the GDPR’s provisions if they offer products or services to customers in the EU or “direct” an activity to the EU market.
Here are some more big-picture takeaways:
1. Companies with an “establishment in the Union” are subject to GDPR’s requirements. What does that mean?
- Having a physical location in the EU is clearly an establishment, but you do not need to have a branch or subsidiary in an EU member state.
- Any real and effective activity, even a minimal one, could satisfy the notion of “establishment” for the purposes of Article 3(1) jurisdiction, even, in some cases, the presence of a single employee.
- Just having a website accessible from Europe is not enough.
2. If you have an EU establishment, what data processing is subject to GDPR? That depends on whether it is carried out “in the context of (the establishment’s) activities?”
- GDPR will apply to your data processing if there is an inextricable link between the activities of your EU establishment and your processing of data as a non-EU entity.
- If not, as a non-EU data controller, you will not become subject to GDPR if you decide to use a data processor (a service provider carrying out the data controller's instructions) located in the European Union.
- Similarly, if you are a data controller that is subject to GDPR and you choose to use a processor that is located outside the Union and not subject to GDPR, you still will need to ensure by contract that the processor processes your data in accordance with the GDPR.
3. If you determine you do not have an EU establishment, are you exempt? You still may be subject to the law if you offer products or services to individuals in the EU, and process data or monitor individuals’ behavior in the EU related to that business.
a) “In the EU" means physically located in the EU at the time of the offering of goods or services (or the monitoring of behavior, see below). Individuals do not need to be citizens or residents of the EU.
b) Does your data processing relate to (1) the offering of goods or services or (2) to the monitoring of data subjects’ behavior in the EU.
(1) What does it mean to offer goods or services?
In order to fall under GDPR, you need to attempt to establish commercial relations with consumers in the EU. To determine, this, the EDPB employs the concept of “directing an activity” to the EU market. Receiving payment for products or services, however, is not required. Some of these activities may include:
- marketing and advertising campaigns directed at an EU country audience
- mentioning dedicated addresses or phone numbers to be reached from an EU country
- using an EU or member state top-level domain name
- mentioning customers domiciled in various EU member states, including client testimonials
- using an EU language or a currency
- offering the delivery of goods in EU member states.
(2) What does it mean to “monitor the behavior” of individuals in the EU?
- Monitoring can be done both on the internet and through other methods involving personal data processing, for example through wearable and other smart devices.
- Monitoring activities include:
- behavioral advertising
- geo-localization activities, in particular for marketing purposes
- personalized diet and health analytics services online
- market surveys and other behavioral studies based on individual profiles
- monitoring or regular reporting on an individual’s health status
4. If you determine you are subject to GDPR, do you need to appoint a representative in the EU?
In general, if you are a non-EU controller or processor that is subject to GDPR, you are required to appoint a representative in the Union. Local representatives may be held liable for the non-EU entity’s breaches and may be subject to administrative fines and penalties.
The appointed representative should be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
There are some exemptions. “Public authorities” are exempt as are entities for which data processing is “occasional” and “does not include, on a large scale, processing of special categories of data….or processing of personal data relating to criminal convictions and offences…”, and for which such processing “is unlikely to result in a risk to the rights and freedoms of natural persons.”
Odia Kagan is Chair of GDPR Compliance & International Privacy and a partner in the firm's Privacy & Data Security and Emerging Companies & Venture Capital practices. She can be reached at 215.444.7313 or [email protected].
National Emerging Companies & Venture Capital Practice Chair Elizabeth Sigety can be reached at [email protected] or 215.918.3554.