Extra-territorial reach of GDPR and non EU organisations

News /

Harmonisation of data protection requirements across the 28 EU Member States has created a gold standard data protection regime which will extend beyond the EU’s physical borders. For organisations outside the EU, it is essential that they consider whether they are within the scope of the GDPR and its enforcement powers.

An establishment in the EU

Article 3(1) of the GDPR applies to the processing of personal data by a controller or a processor established in the EU. Provided there is an establishment in the EU it does not matter where the processing is actually carried out. Therefore, the loophole of a company in the EU deciding to process personal data of individuals at a location outside the EU is removed.

An establishment does not have to be a legal entity. The recitals of the GDPR suggest that an establishment: “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.

Weltimmo v NAIH (C-230/14) examined the interpretation of “an establishment” under the current Directive and determined that the presence of a single representative in a Member State may be sufficient to amount to an organisation having an establishment in that Member State.

Therefore a consultant who carries out work in an EU Member State on behalf of a non EU company may result in that non-EU entity being classed as having an establishment in the EU and therefore fall within the scope of the GDPR.

Offering goods and services/monitoring

Article 3(2) of the GDPR also applies to a data controller or processor who is not established in the EU where the processing of personal data:

>  Relates to offering goods or services to individuals in the EU

>  Relates to the monitoring of behaviour of individuals in the EU

The accessibility of a non-EU website from the EU and the availability of an email address/contact details in the EU will not be enough to show the intention to offer goods or services. However, Recital 23 of the GDPR states that the following would be strong indicators of an intention to offer goods and services in the EU: using the language of a Member State which is not relevant to customers in the home state; using the currency of a Member State that is not generally used in the home state; offering delivery to a Member State; and referencing EU citizens.

The monitoring of behaviour will be relevant to scenarios such as tracking user behaviour through cookies and tracking individuals through the use of location data, which may be relevant for medical/crisis management tools.

Tracking the location of employees may be necessary to discharge an employer’s duty of care to those employees in emergency situations. For those employees in the EU at the time they are being tracked their personal data will be protected by the GDPR.

Almost every corporate website will use tracking cookies to retrieve usage information. Where that information relates to an EU user the GDPR is likely to apply and therefore it is hard to envisage a scenario where a company with full accessibility and cookie usage on its website would not have to comply with the GDPR.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500