The scope of GDPR
GDPR applies to you if you:
- Process PII in the context of your establishment if you are located in the European Union, regardless of whether the actual processing takes place in the EU;
- Offer goods or services, regardless of payment to data subjects located in the EU, regardless of your location;
- Monitor the behavior of EU data subjects, insofar as their behavior takes place within the EU, regardless of your location; or
- Process PII in a place where EU Member State law applies by virtue of public international law, regardless of your location.
It is clear that GDPR can apply to businesses located outside of the European Union, which reflects the intent of the drafters of GDPR to ensure comprehensive protection of the rights of individuals and to establish a level playing field for companies active on EU markets.
What is an establishment under GDPR?
GDPR applies to the processing of PII in the context of the activities of an establishment located in the European Union. This means that if you are located in the European Union, GDPR does not automatically apply, you must be considered an “establishment” first. According to Recital 22, an “establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor.”
For example, if you have one employee in the European Union, that would not qualify you as an “establishment.” However, if that one employee is processing PII in the context of his or her activities, that could be considered as sufficient to qualify. You do not have to have a branch or a subsidiary in the European Union for the law to apply.
FAQ: I have a website that can be accessed by individuals in the European Union, does that mean that I automatically have to comply with GDPR? No, the mere fact that your website is accessible in the EU does not mean that GDPR will automatically apply.
If you exercise real and effective activity, even a minimal one, through stable arrangements in the European Union, then you qualify as an “establishment” and will need to comply with GDPR if you process PII in the context of your establishment.
Offering goods or services to EU data subjects
Since GDPR has such a broad application, the law will also apply to you if you are offering goods or services to EU data subjects, regardless of payment being required, even if you are not located in the European Union. Recital 32 provides that to determine whether you are offering goods or services, it should be ascertained whether it is apparent that you envisage offering goods or services to EU data subjects. GDPR will also apply to you if you are offering information society services to data subjects in the EU. Information society services are any services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
In determining whether you offer goods or services, one or more of the following factors will evidence that your activities are “directed” at EU residents and thus an offering is made:
- The EU or at least one member country is designated by name with reference to the good or service offered;
- You pay a search engine operator for an Internet referencing service in order to facilitate access to your website by consumers in the EU; or you have launched marketing and advertising campaigns directed at an EU country audience;
- The informational nature of the activity, such as tourism;
- The mention of a dedicated address or phone number where you can be reached from an EU country;
- The use of a top-level domain other than that of the country in which you are located (e.g. .de or .eu);
- The description of travel instructions from one or more EU countries to the place where the goods or services are provided;
- The mention of an international clientele composed of customers domiciled in various EU countries, in particular by presentation of accounts written by such consumers;
- The use of a language or currency that is generally not used in your country (e.g. Euros); or
- You offer the delivery of goods in EU countries.
FAQ: I have a number of testimonials on my website from my clients who are based in Germany and France. Does that mean that I have to comply with GDPR? Yes, if you are showcasing that you have clients in the EU and have testimonials from clients located in the EU, you will need to comply with GDPR.
Monitoring the behavior of EU data subjects
Finally, you will need to comply with GDPR if you are monitoring the behavior of EU data subjects insofar as that behavior takes place in the European Union, regardless of where you are actually located. According to Recital 24, to determine whether you are engaged in such monitoring, it should be ascertained whether EU data subjects are tracked on the Internet, including potential subsequent use of PII processing techniques which consist of the profiling of that person, particularly to make decisions concerning him or her or for analyzing or predicting that person’s preferences, behaviors, and attitudes.
The following is a list of examples of activities that would qualify as monitoring:
- Behavioral advertisements;
- Geo-localization activities;
- Personalised diet and health analytics services online;
- Market surveys and other behavioral studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
If you perform any of the above activities and monitor the behavior of EU data subjects, you need to comply with GDPR.