If you’re one of the many organisations based outside the EU that’s been told to review your GDPR (General Data Protection Regulation) compliance practices, you might be confused.
It’s an EU law, so why does the GDPR apply to non-EU citizens? The answer to that, like the Regulation in general, is complicated, but we explain everything you need to know in this blog.
Does the GDPR apply outside the EU?
In short: yes. The GDPR’s territorial scope is defined by the location of the data subjects, rather than where the organisation processing their data is based.
For example, you might be a digital marketing company located in the US, but if you perform certain activities involving the personal data of someone in the EU, then that information is subject to the GDPR’s rules.
So, what activities would put you within the GDPR’s scope?
When does the GDPR apply outside the EU?
As Article 3.2 of the GDPR explains, non-EU organisations are subject to the Regulation if they offer goods and services to – or monitor the online behaviour of – people in the EU.
Let’s explain what the GDPR means by both of those terms.
The ‘goods and services’ part of the equation is straightforward, covering all physical and digital items or activities that an organisation provides.
However, the phrase ‘people in the EU’ requires a little more clarification.
For the sake of convenience, most explanations of the GDPR (including our own) generally refer to ‘EU residents’ or ‘citizens’, but this refers to anyone who is physically in the EU as well as those who live there.
Most of the time that will be citizens and residents, but there are exceptions. The EDPB (European Data Protection Board) provides the following example.
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists.
The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits [sic], restaurant, bars and hotels.
The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome.
The US start-up, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome).
In other words, if an organisation is not in the EU but caters to those who are, it must comply with the GDPR.
Of course, you may not know whether people in the EU use your services – particularly if you’re an online business based outside Europe with a regional customer base.
In these circumstances, you must assess several factors, such as whether you’ve paid a search engine operator for an Internet-referencing service that allows EU customers to access your site and whether the goods and services that you offer are international in nature.
If there’s a reasonable chance that you have EU-based customers, you must take appropriate steps to achieve GDPR compliance.
This refers to something more specific than simply collecting an individual’s personal data. To be considered ‘monitoring’, an organisation must track individuals’ actions.
This includes any profiling activities that you conduct to predict personal preferences, behaviours and attitudes.
Examples of monitoring includes geolocation activities, diet and health analytics services, CCTV footage, market surveys and cookies.
These are mostly self-explanatory, but cookies are somewhat more complicated because they can be used in many ways to serve different purposes.
Cookies are only considered to monitor individuals’ behaviour when they personalise the user experience in a manner specific to that individual.
By contrast, many cookies are simply used to ensure that the user interface works as expected, in which case their use falls outside the GDPR’s scope.
Our sister company DQM can help you complete this process through its Cookie Audit service.
What are the exceptions?
The GDPR’s rules on territorial scope are definitive, so it would be misleading to suggest that there are exceptions to its rules. However, there are circumstances in which data processing may appear to be within scope but is not.
For example, the GDPR doesn’t apply where a non-EU organisation processes the personal data of someone inside the EU for HR purposes (including paying their salary). This is because the processing isn’t used to offer goods or services.
Likewise, the GDPR doesn’t apply when an organisation’s data processing involves the activities of an EU resident who is abroad.
To take the inverse of our earlier example: should someone from France go on holiday to New York and download an app designed for tourists, the personal data that’s collected is not within the GDPR’s scope, because the individual is not in the EU.
GDPR compliance support with GRCI Law
Are you looking for help meeting your GDPR compliance requirements? If so, our Privacy as a Service solution offers the support you need.
Led by a team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we’ll work with you to develop a tailored solution based on your requirements.
This includes help deciding what information is within the GDPR’s scope, finding a data protection officer, completing breach notification processes and completing DSARs (data subject access requests).