As we all know by now, the GDPR came into force on Friday 25th May 2018. For businesses based in Europe with employees and customers in the EU, this means unavoidable change. Changes to the way personal data is processed, changes to information to be given to data subjects, changes to internal governance, changes to the culture surrounding data protection within the organisation. But what about businesses who are not based within the EU? Does the GDPR apply to them? What about non EU-based organisations who sell only occasionally to the EU?
Article 3 of the GDPR states that its terms apply to the processing of personal data of data subjects who are in the Union, by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or (b) the monitoring of their behaviour, so far as their behaviour takes place within the Union.
- When determining whether or not an organisation is established in the EU, the recital states that “establishment” implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements does not matter.
- Note that “processing” includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
The fact that a controller or processor has not made any, or a limited number of, sales to data subjects within the Union does not matter. It is the intent of the controller/processor which is focused on and the recitals to the GDPR state that in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union for the purpose of Article 3, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. They go on to explain that although the accessibility of the controller/ processor/ intermediary’s website in the Union, of an email address or contact details alone is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make that intent more obvious. Organisations outside of the EU therefore have to be very careful and if they do provide a mechanism for individuals from the EU to purchase their goods or services from their website, they must ensure they are GDPR compliant. Marketing teams within organisations should be made aware of this when considering how and where marketing is being used and if they plan on marketing within the EU, time and budget associated with ensuring GDPR compliance should be factored into their plans.
In relation to monitoring activities, the processing of personal data of data subjects who are in the Union by a controller or processor established outside of the Union will also fall within the remit of the GDPR when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it must be ascertained whether natural persons are tracked on the internet. This could include potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Another scenario with potential GDPR implications is where an organisation with no other EU establishment or presence decides to use an EU-based host for its website data. Does the use of such a cloud-based service, provided by an EU based data processor, have the potential to bring the processing within the “context of the activities of an establishment of a controller or processor in the European Union”? The answer is unclear, but it is unlikely that the organization would. The processor on the other hand will certainly have GDPR obligations. This was seen recently when the ICO ordered Cambridge Analytica, acting as a data processor and based in the EU, to hand over data to a US citizen. The processor must, by virtue of Article 28, have a contract in place with the controller. Whether the controller therefore has obligations under GDPR is not clear and will depend on the specific facts of each case.
For organisations that are already subject to the Directive, the GDPR will not necessarily bring about a significant change. However, for organisations that are not currently subject to the Directive, but who currently either offer goods or services to EU residents or monitor their behaviour, or plan to in the future, the changes that GDPR brings are likely to lead to a number of new administrative, compliance burdens and associated costs which they must plan for. Staff should be adequately trained, internal policies and procedures reviewed, appropriate GDPR compliant technical and organisational measures put in place and, given the potential fines that breach of GDPR can result in, organisations may also wish to review their insurance arrangements.