Extraterritorial Scope of European Union’s GDPR

The European Union’s General Data Protection Regulation (GDPR) was introduced as the new legislation on May 25, 2018, to protect the personal data. Ever since the legislation came into effect, the corporates in Europe have been trying to comply with its various legal requirements. Article 3(1) of the GDPR is applicable to the organizations that have a physical presence inside the EU and are engaged in the processing of personal data of EU data subjects. Article 3(2) extends this territorial scope to include non-EU based organizations that are not physically established in the EU.

Non-EU Based Organizations under the Purview of GDPR

These basically include entities that are either ‘controllers’ or ‘processors’ who are engaged in the processing of the personal data of data subjects in the EU. The processing activities should relate to the following:?

• ‘Offering of goods or services’ to individuals residing in the EU irrespective of whether the payment is required (targeting)
• Instances where the behaviour of European data subjects residing in the EU is monitored (monitoring).

GDPR application by way of targeting

There is no clear guidance as to what constitutes an ‘offering of goods or services’. Each case would have to be analysed separately on a standalone basis. Normally, for GDPR to be applicable it is required that there should be some active direction of activities towards data subjects within the EU. The mere availability of website or online advertising would not attract GDPR compliance. Additional aspects to be considered for targeting of data subjects would need to include:

• Contact details in the EU
• Availability of a website in more than one European language
• High probability of making payments in the Euro currency
• Usage of any EU domain name
• References to or from EU clients

GDPR application by way of monitoring

With respect to monitoring of behaviours of EU subjects, in order for GDPR to be applicable, the following factors should be considered:

• Gathering location data
• Allowing EU data subjects to use a social network account
• Tracking the online activities of the individuals to know more about their behaviour, personal preferences, and attitudes. A perfect example of this can be the usage of website cookies or social media plug-ins that monitor the online presence of an individual.

GDPR indirect application to non-EU businesses

The provisions of GDPR will also be applicable to non-EU businesses (processor) carrying out processing activities on behalf of an EU business (controller). The Data Processing Agreements between such controller and processor should account for the following matters such that the processor:

• Acts on the documented instructions of the controller and only then processes the personal data of the subject
• Ensures complete confidentiality by the authorized person responsible for processing the personal data
• Unless required by the GDPR provisions, does not transfer the personal data outside the EU
• Without the prior documented authorisation of the controller, does not engage another processor
• Allows for and contributes to audits, including assisting the controller in inspections carried out by him

Key Takeaways

The GDPR was purposely drafted to make sure that is applied to EU-based as well as businesses based outside of the EU that engage in handling the personal data of the EU subjects. If you have an organization outside the EU but are acting as a controller or a processor, then in all probabilities, you could be covered by the GDPR provisions. Article 3(2) has extended the scope of the territory and GDPR rules could affect your business as well. If so, you must make it as your priority to begin the implementation of a GDPR compliance roadmap.