When European data protection law- General Data Protection Regulation (GDPR) first entered into force on May 25, 2018, it challenged the way organizations handled and processed personal data of EU residents and citizens.
However, there was (and still is) confusion around who GDPR applies to, further enhanced by the global reach of companies, the broad territorial scope of the GDPR, and practical enforcement challenges.
The extraterritorial scope of GDPR indicates it is applicable even outside of the borders of the European Union. Therefore it is very important for organizations to understand situations in which they can fall within the GDPR scope and their obligations when processing personal data.
What is the territorial scope of the GDPR?
Territorial scope represents the jurisdictional reach of the law, in this case, the GDPR. The scope of the GDPR represents a significant advancement and is much broader when compared to the Directive 95/46/EC which it superseded.
As described in Article 3, GDPR applies to the processing of personal data:
- In the context of the activities of an establishment of an organization (controller or a processor) in the Union, regardless of whether the processing takes place in the EU or not.
- Of EU-based individuals (data subjects) by a controller or processor not established in the EU, if they offer goods or services, irrespective of whether a payment is required; or the monitoring of behavior as far as their behavior takes place within the Union.
- By a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
Therefore, as described in European Data Protection Board guidelines on the territorial scope of the GDPR, the scope can be defined by two main elements:
- Establishment criteria
- Targeting criteria
When one of the two criteria is met GDPR will apply to personal data processing. It is extremely important for organizations to conduct assessments of their processing activities and determine whether they are a processor or a controller for each processing activity.
If the GDPR applies, non-EU-based organizations will need to designate a representative in the EU, who will be subject to EU supervision and may be subject to the DPA enforcement.
In the context of the GDPR, the establishment implies the effective and real exercise of activities (even the minimal one) through stable arrangements, whether it is a branch or subsidiary with a legal personality.
The GDPR applies to the processing carried out in the context of the activities of an establishment of a controller or processor in the Union, regardless of the actual place of the processing.
The organization does not have to be in the EU to be considered as having an EU establishment. The main criterion is to determine whether there is a real and effective activity exercised through stable arrangements.
Targeting criteria – offering goods and services
The GDPR will be applicable if the organization is offering services or monitoring the behavior of EU citizens or residents. However, what GDPR considers offering services and monitoring individuals may have different connotations than your understanding:
- Offering services: An organization that has a website accessible to EU individuals, or a webshop with prices displayed in any EU currency, if organization ships to European Union providing the option to sign up for its services, no matter if service is paid or free.
The extraterritorial scope of the GDPR
What extraterritoriality implies is that even organizations that have no physical establishment in the EU can be obligated to comply with the GDPR.
As a non-EU organization, besides the abovementioned offering goods or services to individuals in the EU or having a subsidiary you can also fall under the scope of the GDPR if you are contractually obligated to comply with the GDPR by contractual partners.
Is GDPR enforceable outside the EU in practice?
Although GDPR has set out to protect personal information of EU citizens even outside of the EEA, the enforcement outside the EU borders in practice is still questionable and will depend on the special circumstances of each specific case.
For example, the organization may be willing to cooperate with the data protection authority to avoid bad publicity or because privacy might be one of their strategic points.
In other cases, when the organization refuses to cooperate, the DPA might seek to coordinate with overseas regulators in taking enforcement action.
The data protection authorities may have limited enforcement powers against entities without representatives based in the EU. However, non-compliance can be costly nevertheless, even without a GDPR fine.
There is a reason why numerous organizations are investing in their privacy and compliance. Data breaches can cost a company multiple millions and can cause other indirect damages.
GDPR has shown how regulation can produce positive economic results and has pushed a lot of companies into their digital transformation, giving them a better quality of data and improved overall customer experience. Companies are also experiencing:
“Over the past few years, data privacy has evolved from “nice to have” to a business imperative and critical boardroom issue.”
That is why the advice is to always adhere to the Regulation, to avoid possible pitfalls, bad publicity, and penalties up to €20 million, or 4% of the previous year’s gross global turnover, whichever is the greater.