Although the GDPR (General Data Protection Regulation) has its basis in EU law, organisations across the globe might be subject to its requirements.
Whether non-EU companies are subject to the GDPR depends on a variety of factors, which we discuss in this blog. We look at the circumstances in which the requirements must be met, exemptions to its rules and specific examples that demonstrate the Regulation’s scope.
When does the GDPR apply outside Europe?
Article 3 of the GDPR states that its requirements aren’t necessarily bound by the location in which an organisation is based.
Specifically, the GDPR applies:
- To data processing that takes place on behalf of data controllers or processors that are established in the EU – irrespective of whether the actual processing takes place within the EU;
- To the processing of EU residents’ data (irrespective of whether the data controllers or processors are based) if the processing is conducted to offer goods and services to data subjects in the EU, or to monitor of the behaviour of data subjects within the EU; and
- Where member state law applies by virtue of public international law.
A good rule of thumb is that the GDPR will apply if you are using personal information on behalf of an EU-based organisation and when you have EU-based customers.
However, it’s important to note that not all processing activities fall within the scope of ‘offering goods or services’ or ‘monitoring individuals’. If you’re unsure exactly what these refer to, here is an explanation:
If you offer goods or services to data subjects in the EU
As the phrasing suggests, goods and services refers to anything that an organisation provides to a customer.
This might be a physical product (e.g. an item of furniture, a takeaway meal, a pair of shoes) or an experience (e.g. a website, a utility, a leisure activity). What’s important to remember is that it’s something the user receives and which requires them to provide their personal data.
Because the GDPR’s territorial scope refers to the location of the consumer rather than the location of the organisation, it doesn’t matter where the product is created if it was designed to be used by someone in the EU.
If you monitor EU data subjects’ behaviour
Organisations can monitor consumers in any number of ways, whether you’re tracking their online browsing habits, tracking their location through GDPR or processing their heartrate or step count.
If you process such information related to EU data subjects, the GDPR technically applies.
However, there is some leeway in this requirement because it can sometimes be difficult to identify who is using your service. Indeed, in many cases the privacy risks involved in gathering this information outweigh the benefits.
As such, this requirement will likely only apply if you have a significant number of EU users or are specifically targeting people based in the region.
When does the GDPR not apply outside Europe?
There is one caveat to the GDPR’s requirements: to fall within its scope, the processing must be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity.
As such, its rules don’t apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
However, you must be careful not to mistake business conducted from home for a household activity.
Indeed, with many people now working from home some or all the time, the lines between our personal and home lives have been blurred – but remember that any data storage or processing that’s part of a business activity is within the GDPR’s scope.
The only other derogation in the GDPR relates to the size of an organisation. Whether it is based in the EU or not, a business with fewer than 250 employees might be except from maintaining a record of processing activities under its responsibility.
This will be the case if the processing does not “result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
Does the GDPR apply to EU citizens abroad?
Many non-EU organisations will argue that they have no way of knowing whether a data subject is within the GDPR’s scope, particularly if they visit in-person or otherwise suggest that they reside locally.
Fortunately, the data subject’s current location takes precedence over their citizenship when determining whether the GDPR applies. That means EU citizens holidaying or living outside of the region aren’t subject to the Regulation’s rules.
You can think of it like the law of the land. If the individual is in your country, they are subject only to its laws. But if they are in the EU and provide their information remotely – online or over the phone – they are protected by the GDPR.
Examples of GDPR compliance outside the EU
With the information outlined so far, let’s take a look at some examples of data processing by non-EU organisations and whether they are subject to the GDPR.
Example 1: A restaurant in Marrakesh has a website that allows people to book a table or use its takeaway service. European holidaymakers occasionally visit the restaurant and use its booking service.
The GDPR doesn’t apply in this case, because its service is targeted at people who reside locally.
Although EU residents may occasionally use its service, the data privacy risks of identifying those people outweighs the benefits of implementing the necessary measures.
Example 2: A software company in Tokyo has created a tourist app that tracks users’ locations and provides nearby points of interest. It has options for tourists in Tokyo, Paris, London and Rome.
In this case, the GDPR applies, because the organisation’s services are designed to be used by people in the EU, whether they are local or visiting from elsewhere.
Example 3: A US citizen is on a business trip to London. While there, he downloads a news app from his hometown.
In this case, the GDPR doesn’t apply, even though the individual was in the EU when their data was collected.
That’s because, for the GDPR to apply, the goods/services or monitoring must target people in the EU.
Unlike the second example, in which the software company must assume that its service will be used by people in the EU, that’s not the case here.
The news provider’s service is designed specifically for people in the US, and although some people may use its service in the EU, the organisation hasn’t done anything to promote this.
Achieving GDPR compliance
GRCI Law is dedicated to helping organisations meet their data protection compliance requirements. You can find advice on specific aspects of the GDPR below:
- How to handle data breaches according to the GDPR
- The GDPR and EU representatives
- What are the key provisions of the GDPR?
We can also help you fulfil your representative requirements via our EU GDPR Representative Service.
With this subscription service, our team of lawyers, barristers, and information and cyber security experts take the strain of GDPR compliance, acting as your representative for personal data processing activities.