Extra-territorial reach of GDPR and non EU organisations
Harmonisation of data protection requirements across the 28 EU Member States has created a gold standard data protection regime which will extend beyond the EU’s physical borders. For organisations outside the EU, it is essential that they consider whether they are within the scope of the GDPR and its enforcement powers.
An establishment in the EU
Article 3(1) of the GDPR applies to the processing of personal data by a controller or a processor established in the EU. Provided there is an establishment in the EU it does not matter where the processing is actually carried out. Therefore, the loophole of a company in the EU deciding to process personal data of individuals at a location outside the EU is removed.
An establishment does not have to be a legal entity. The recitals of the GDPR suggest that an establishment: “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.
Weltimmo v NAIH (C-230/14) examined the interpretation of “an establishment” under the current Directive and determined that the presence of a single representative in a Member State may be sufficient to amount to an organisation having an establishment in that Member State.
Therefore a consultant who carries out work in an EU Member State on behalf of a non EU company may result in that non-EU entity being classed as having an establishment in the EU and therefore fall within the scope of the GDPR.
Offering goods and services/monitoring
Article 3(2) of the GDPR also applies to a data controller or processor who is not established in the EU where the processing of personal data:
> Relates to offering goods or services to individuals in the EU
> Relates to the monitoring of behaviour of individuals in the EU
The accessibility of a non-EU website from the EU and the availability of an email address/contact details in the EU will not be enough to show the intention to offer goods or services. However, Recital 23 of the GDPR states that the following would be strong indicators of an intention to offer goods and services in the EU: using the language of a Member State which is not relevant to customers in the home state; using the currency of a Member State that is not generally used in the home state; offering delivery to a Member State; and referencing EU citizens.
The monitoring of behaviour will be relevant to scenarios such as tracking user behaviour through cookies and tracking individuals through the use of location data, which may be relevant for medical/crisis management tools.
Tracking the location of employees may be necessary to discharge an employer’s duty of care to those employees in emergency situations. For those employees in the EU at the time they are being tracked their personal data will be protected by the GDPR.
Almost every corporate website will use tracking cookies to retrieve usage information. Where that information relates to an EU user the GDPR is likely to apply and therefore it is hard to envisage a scenario where a company with full accessibility and cookie usage on its website would not have to comply with the GDPR.