So this is the question that is coming up more and more here in the United States – Does the GDPR apply to our company?
Remember that GDPR was put in place to protect individuals from improper use of their personal data and also to allow them to freely move same, and to enjoy certain other rights with respect to their personal data. While its reach is broad, the GDPR does not apply to processing of data if it falls outside the scope of EU law (processing for public safety, or government issues is not subject to it). If your company interacts with customers within the EU for purposes of trade, and you you store, process or share EU citizen’s personal data then the GDPR rules apply to your company.
The GDPR applies only to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless if the actual processing takes place in the EU or not. Art. 3, Sec. (1). Note that the GDPR does not define the term “establishment” even though in Recital 22 it states that: “establishment implies the effective and real exercise of activity through stable arrangement. The legal form of such arrangements, whether through a branch or subsidiary with a legal personality, is not the determining factor in that respect.”
Indeed, note that the GDPR applies to the processing of personal data of persons in the EU, even if the controller and/or processor are not in the EU, if either:
the processing is due to an offer of goods or services (even if no fee is charged) to people in the EU, or
the processing involves monitoring people in the EU.
GDPR, Art. 3, Section (2).
We have some guidance about how the EU will determine if the offer of goods/services was intended to target EU citizens. They will look at (1) patent evidence, such as agreements/payments with respect to EU citizens or specific locations (such as EU member states named specifically), and (2) other factors, such as “international nature” of the activity (like tourism), mentions telephone number with international code, use of top-level domain other than that in which the company is located, mentions of international itineraries or clientele, etc.
So essentially companies throughout the world that offer goods or services to EU citizens, or monitor EU citizens, in connection with the collection or use of any EU citizen’s personal data (in any way), are subject to the GDPR. This aspect of the GDPR provides for essentially global reach. Its unclear as of yet, if the personal data has to be from someone in the EU at the time its collected, or only EU citizens (whether in EU or anywhere in world).
Historically, there used to be a Safe Harbor that non-EU companies could rely on but that was invalidated in 2015. This is a Privacy Shield (to be discussed in a later post) but it looks like that is devolving as well and companies that do business with EU individuals will have to comply.
It’s important to realize that the GDPR has application to business-to-business relationships and not just business-to-customer relationships, do to the fact that individuals work at each business and those individual’s personal information is intended to be and is covered by the GDPR (assuming they are residents or citizens or otherwise in the EU). Its not clear if the offer of goods and services that is solely made to businesses in the EU (as opposed to individuals) would render the offer subject to the GDPR (note it would also have to at some point involve personal data).
We will address the GDPR and its application in later blog posts.