What does the General Data Protection Regulation mean for companies outside the EU?
Until now, EU Data Protection Laws have only applied to companies with a presence in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, with the consequence that the new law not only affects companies within the EU, but also countries outside of its borders. In certain situations, the GDPR is also applicable to companies (controllers) outside of the EU.
The potential cross-border applicability has left many companies outside the EU confused, and it has led to uncertainty.
Does my company now have to comply with the GDPR or not?
The EU, or the European Data Protection Board (EDPB), have recognized this problem and published a draft guideline with helpful examples. Where it could be useful to readers, this article refers to the examples in this guideline.
Is my company affected by the GDPR?
The GDPR distinguishes between two main criteria:
Is there an establishment in the EU (Art. 3 (1) GDPR)?
Article 3(1) of the GDPR provides that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Hence, if a company has a branch, a local presence or a subsidiary in the EU, the GDPR applies. This also includes data processing as a processor for a company that is established in the EU. This principle was already applicable under the old Directive, so it is not new. As a result, it is not mandatory for a company to have its own legal personality, but rather, an establishment implies the effective and actual exercise of activities through stable arrangements. The legal form of such arrangements, and whether this is done through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. The hurdle is set low, so the presence of only one employee could be sufficient to qualify as an activity in the EU. Moreover, it does not matter whether the personal data concerned is processed within the EU or outside of it. A controller cannot avoid the application of the GDPR by simply using a processor that is situated outside of the EU.
Example: A car manufacturing company with headquarters in the US has a fully-owned branch and office located in Brussels overseeing all its operations in Europe, including marketing and advertisement.
The Belgian branch can be considered to be a stable arrangement, which exercises real and effective activities in light of the nature of the economic activity carried out by the car manufacturing company. As such, the Belgian branch could therefore be considered as an establishment in the Union, within the meaning of the GDPR
Processors
The same requirements apply to processors. A processor established within the EU must comply with the GDPR. If a processor is established outside of the EU, but it is used to process personal data from EU data subjects, the processor must comply with GDPR rules as well. The controversial question of whether the GDPR applies if the controller is located outside of the EU but the processor is established within the EU has now been answered by the EDPB. According to its Guidelines, a controller who does not have a presence in the EU, pursuant to Art. 3 (1) GDPR, is not subject to the GDPR, even if the processor is located in the EU. Of course, this only applies if the controller does not fall within the scope of Art. 3 (2) GDPR.
Example: A processor established in Spain has entered in a contract with a Mexican retail company, the data controller, for the processing of its clients’ personal data. The Mexican company offers and directs its services exclusively to the Mexican market and its processing concerns exclusively data subjects located outside the Union.
In this case, the Mexican retail company does not target persons on the territory of the Union through the offering of goods or services, nor it does monitor the behaviour of person on the territory of the Union. The processing by the data controller, established outside the Union, is therefore not subject to the GDPR as per Article 3(2).
While the provisions of the GDPR does not apply to the data controller, the data processor, as a processor established in Spain, will be required to comply with the processor obligations imposed by the regulation for any processing carried out in the context of its activities.
Is the target market in the EU (Art. 3 (2) GDPR)?
The GDPR also applies if the data processing does not take place within the EU, but a data subject in the EU is affected by the data processing, i.e. as soon as services or goods are offered in the EU, the GDPR applies. In addition, the GDPR also applies if a controller monitors the behaviour of data subjects within the EU, even if the monitoring is done from outside of the EU. The second point primarily concerns behavioural analyses and the tracking of users on the internet (e.g. use of cookies). However, many companies use third-party providers (e.g. Google Analytics) for this purpose and therefore do not fall directly within this category. For most companies, the first point is the most relevant, therefore the important question is whether or not their offer is directly aimed at EU customers.
The targeted persons must be located in the EU, i.e. the applicability is not linked to nationality or a domicile. The requirement that the data subject be located within the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or the monitoring that is undertaken. However, the processing of the personal data of an individual alone is not sufficient to trigger the application of the GDPR if the individual is not targeted within the EU.
Example: A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist's personal data by the U.S. company, via the app, is not subject to the GDPR.
Even if the service is provided free of charge or goods are handed out for free, the GDPR still regards this as an "offer" of goods and services. A free APP can therefore also fall under the GDPR. Therefore, a case-by-case assessment is important. When considering the specific facts of the case, the following factors could therefore be taken into consideration inter alia, possibly in combination with one another:
The EU or at least one Member State is designated by name with reference to the good or service offered;
The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
The international nature of the activity at issue, such as certain tourist activities;
The mention of dedicated addresses or phone numbers to be reached from an EU country;
The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
The description of travel instructions from one or more other EU Member States to the place where the service is provided;
The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
The data controller offers the delivery of goods in EU Member States
Of course, this list is not exhaustive, and it should be noted that one point alone is not sufficient for the GDPR to apply.
Example: A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.
In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.
As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offer of a service to data subjects within the Union, and it is therefore subject to the obligations and provisions of the GDPR, as per Article 3(2)(a).
In accordance with Article 27, the data controller is obliged to designate a representative within the Union.
Example: A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents.
In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2a) GDPR. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3
Example: A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency.
As there is no distinction or specification for students from the Union in the application and selection process for this Master degree, it cannot be established that the Swiss University has the intention to target students from a particular EU member states. The sufficient level of German and English is a general requirement that applies to any applicant whether a Swiss resident, a person in the Union or a student from a third country. Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing in question relates to the offer of an education service to data subject in the Union, and such processing will therefore not be subject to the GDPR provisions.
The Swiss University also offers summer courses in international relations and specifically advertise this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such service to data subjects who are in the Union, and the GDPR will apply to the related processing activities.
The second type of activity that triggers the application of Article 3(2) GDPR is the monitoring of the behaviour of data subjects, insofar as their behaviour takes place within the Union. Monitoring of affected individuals must of course be aimed at data subjects within the EU. It does not matter where in the world the controller is located. The term "monitor" can cover a wide range of activities and a case-by-case assessment must be carried out. In particular, the following activities may be included:
Cookies
Behavioural advertising
Geolocalisation, especially for marketing
Personalised services for nutrition or health analyses
Surveillance cameras
Surveys based on individual profiles
Health monitoring
If the target market is in the EU, whereby the GDPR is applicable, the person responsible must also appoint a data protection representative in the EU. However, the controller cannot benefit from the one-stop shop mechanism, according to Art. 56 GDPR, due to the lack of an establishment in the EU. As a result, in this case, there is no fixed lead supervisory authority.
This article was written by RA Yves Gogniat.
If you have further questions about Data Protection outside the EU, don’t hesitate to contact Balthasar Wicki.