GDPR & Non-EU Businesses: Does the New Privacy Regulation Apply to You?

You may have recently heard or read about a new European Union (EU) regulation that went into effect on May 25, 2018.  The regulation, which is known as the GDPR (General Data Protection Regulation), sets forth certain rules that apply to the processing and use of consumer information.  The purpose of the regulation is to protect persons in the EU with respect to the processing and use of their personal data by third parties. If you think that you are not subject to the GDPR because you are not an EU business, you should think again, as the scope the regulation is broad enough to encompass non-EU businesses. 

With that in mind, here are the answers to some questions you may have regarding GDPR coverage of non-EU businesses.   

Who Does the Regulation Cover?

By its terms, the GDPR applies not only to EU businesses (known as “controllers” and “processors”) but also to non-EU businesses who process the personal data of natural persons (known as “data subjects”) in the EU.  EU citizenship is not required for coverage since the regulation’s protections also apply to residents, tourists and other persons visiting the EU.

For coverage to apply, a non-EU business’s processing activity must be related to:

  1. The offering of goods or services to persons in the EU, whether or not payment is required; or

 

  1. The monitoring of the behavior of persons in the EU with respect to behavior that takes place within the EU.

 

How Does the Regulation Define “Personal Data”?

By its terms, the GDPR applies to the processing of “personal data.”  “Personal data” is defined as any information relating to an identifiable person and includes things such as names, addresses, phone numbers, social security numbers, account numbers and any other information relating to and identifying a natural person including things specific to that person such as his or her physical, physical, physiological, genetic, mental, economic, cultural or social identity. 

Who Qualifies as a Processor Under the Regulation?

There are several relevant definitions in the regulation regarding who is and is not a data processor. 

First, the regulation defines “processing” as any operation or set of operations performed on personal data.  It includes things such as the collection, recording, storage, retrieval, use, disclosure by transmission or dissemination or destruction of personal data. 

Second, a “processor” is defined as a person or entity that processes personal data on behalf of a controller.

Third, a “controller” is defined as a person or entity that (alone or jointly) determines the purposes and means of processing personal data. 

Thus, if your business performs any of the operations that are listed in the regulation either on its own behalf or on behalf of a person or entity that determines the purposes and means of processing, it is a processor and/or controller.  (If your business performs both functions, it can be both.) 

Does Your Business Offer Goods or Services to Natural Persons in the EU?

 The phrase “offering goods or services” is not specifically defined in the Regulation. However, comments note that although it is a factor to consider, having a commerce-oriented website that is accessible by EU residents does not by itself constitute offering goods or services in the EU.  In fact, something more is required.  That something more is an intent to draw EU customers.  Here are some factors that may be constitute proof of that intent:

  • A website or other advertisement’s use of the language of an EU Member State that is different from the language of its home state;
  • A website or other advertisement’s provision of options for EU language translation;
  • A website or other advertisement’s reference to and/or use or acceptance of the currency of an EU Member State, which is different from the currency of its home state;
  • A website or other advertisement’s provision of options for currency conversion;
  • A website or other advertisement’s use of a top-level domain name of an EU Member State (e.g. .eu, de);
  • A website or other advertisement’s mentions of customers or international clientele composed of customers who live in various EU Member States;  
  • A clear statement on a website or other advertisement that goods or services are offered in one or more EU Member States mentioned by name;
  • The paid inclusion of a non-EU business in search engines accessed from particular EU Member States;
  • The international nature of the non-EU business’s activity;
  • The targeting of advertising to consumers in an EU Member State; and/or
  • The mention or inclusion of international telephone numbers for contact purposes on a website or other advertisement.

Another factor relevant to the “intent” determination is whether the website or other advertisement of a non-EU business solicits the conclusion of distance contracts and/or whether contracts have actually been concluded at a distance.

Does Your Business Monitor the Behavior of Persons in the EU?

Monitoring of behavior occurs where individuals are tracked on the internet and typically includes the potential subsequent use of personal data techniques that consist of the profiling of persons in order to make decisions concerning them or to analyze or predict their personal preferences, behaviors and attitudes.   

The regulation defines “profiling” as any form of automated processing of personal data that consists of the use of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning the person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Examples of monitoring include, without limitation:

  • Online behavioral based advertising;
  • Travel data of individuals using a city’s public transport system (e.g., tracking via travel cards);
  • Profiling and scoring for risk assessment purposes (e.g., for credit scoring, setting of insurance premiums, fraud prevention, detection of money-laundering);
  • Location tracking (e.g., by mobile apps); and
  • Monitoring of wellness, fitness and health via wearable devices.

 

In performing a profiling analysis, you should consider all forms of behavior monitoring including circumstances where you collect data on employees inside and outside of the workplace (e.g., company owned vehicles with tracking devices).

 What’s Next?

 If you believe that your business is or may be covered by the GDPR or if you have questions about whether the regulation applies to you and/or your business, you should consult a knowledgeable professional (such as a lawyer) to answer your questions and help you with compliance.  In order to fulfill the stated goals, the GDPR imposes a number of statutory duties on the businesses it covers and the penalties for non-compliance can be very steep.  Like many others, this is an instance when it is far better to be safe than sorry. 

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.

Connect

FacebookLinkedIn
Back To Top