PART 2: Does the GDPR apply to your company, even if it is based outside of the EU?
Welcome to Part 2 of our article covering the “Territorial Scope” of Personal Data Processing.
In the light of Brexit, as well as for any other non-EU companies dealing with personal data, many are still asking questions about the application of the General Data Protection Regulation (GDPR) adopted last year - especially if they are carrying out business online.
In our first article of this two-part series, we discussed the notion of establishment under the GDPR, in light of the European Data Protection Board (EDPB) guidelines. In this second part of this two-part article, we hope to provide you with a quick overview of the key points published by the EDPB in respect of “targeting” to see if what your business is doing is caught by the GDPR - even if you are not established in the EU.
Article 3 of the GDPR sets out the territorial scope of the provisions, which is defined on the basis of two main criteria: establishment (Article 3(1)) (which we discussed in the first part of this two-part series) and targeting (Article 3(2)) which we discuss here.
As we will see below, the notion of targeting is particularly important for businesses which conduct activities online, such as selling goods or services (i.e., online marketplaces, e-commerce, internet retail, digital download and streaming service providers) as well as those which provide profiling and analytics services to track and monitor behaviour online.
If a business meets either establishment and/or the targeting criteria, the GDPR and all its provisions will apply to that business’ personal data processing activities.
The EDPB’s guidelines help you to consider whether particular processing (as a controller or a processor) falls within the scope of the GDPR, and therefore whether its provisions need to be implemented. in this second and final part of this two-part article, we will therefore focus on the relevant guidance relating to targeting.
The “Targeting” Criteria
So if you’re sure you are not established in the European Union, you must be excluded from the GDPR, right? Wrong!
The “targeting” criteria can be triggered by a controller or processor outside of the EU (Article 3(2)) depending on what their processing relates to. If the processing relates to the offering of goods or services within the EU, or the monitoring of behaviour within the EU, then the GDPR will apply.
Watch out - the EDPB warns that while its guidelines are a comprehensive guide on the scope of the GDPR, other applicable texts such as EU or Member States sectorial legislation or national laws may also apply.
Indeed, the GDPR allows Member States to add additional conditions to its rules so it is also important to seek local legal advice in the territories that you are targeting.
What does “within the EU” mean for targeting purposes?
The targeting criteria relates to the personal data of individuals within the EU, and cannot be limited by any other citizenship, residence or legal status at the time of processing. Whether the person is “in the EU” or not should be assessed at the moment when goods or services are offered, or the moment when their behaviour is monitored.
A data subject being based “in the EU” is not sufficient alone to trigger the applicability of the GDPR.
Processing of personal data outside of the EU is not caught the GDPR unless it relates to an offer of goods or services, or the monitoring of behaviour in the EU.
What type of goods or services?
Offering goods or services in the EU, regardless of whether or not payment is required, can activate the targeting criteria.
The intention of the controller or processor to offer goods or services within the EU must be apparent - so, simply allowing access to your website within the EU, or allowing your phone number to be visible without an international code is not sufficient to prove intention.
However if you accept the currency used in a Member State, or offer the possibility of ordering in another language, this might show that you envisaged offering your goods and services in the EU.
Monitoring data subjects’ behaviour
Monitoring behaviour which takes place in the EU and is related to a data subject in the EU will also trigger the application of the GDPR. Monitoring behaviour is understood as tracking people on the internet and on other kinds of networks and technology, to profile the person and analyse their preferences, behaviours and attitudes.
The EDPB does not consider that any online analysis of individuals in the EU would automatically count; again it is important to look at the intention of the party processing the data.
However, it is important to note that there is no degree of intention when it comes to monitoring behaviour for the targeting criterion to be activated.
We appreciate that there are quite a few points to take on board when establishing whether your non-EU business is likely to be caught by the GDPR, and therefore needs to comply with its provisions to avoid liability and sanctions.
Whilst the EDPB has set out some key clarification as to the application of the GDPR to non-EU businesses, it is always worth seeking specialist advice on your specific situation. Of course, if you need any assistance or require any further clarification, please get in touch with us here.
Article by Charlotte Gerrish, Lily Morrison and Marie Mortreux @ Gerrish Legal, January 2019