Extraterritorial Scope of GDPR: The effects of the Regulation on non-EU businesses


By Ioanna Michalopoulou, Lawyer LLM*
The EU General Data Protection Regulation (GDPR) is not explicitly a global law, but it might be on the way to becoming a de facto law beyond the boundaries of Europe, at least for a number of businesses.
GDPR, which was enforced on the 25th of May 2018, affects all businesses based in EU territory acting as data controllers or data processors of personal data of data subjects who are located within the Union, similar to the previous European data protection law (Directive 95/46/EC). An important question, then, arises as to whether businesses that are based outside the European Union and process personal data, fall under the GDPR’s scope.
The European legislature, in an effort to protect data subjects from the arbitrary processing of their personal information by non-EU businesses, expanded the territorial scope of the Regulation. Article 3 GDPR states that the “GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union” if one of the following criteria is fulfilled:
The processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
Key to determine whether criterion (a) is met by a non-EU business, according to Recital 23 (offering of goods or services, to such data subjects in the Union) is the business’ intention, and whether it is apparent that an offer to an EU-based data subject was “envisaged”. More specifically, the mere provision of information about the offering of good or services on the business’ website does not sufficiently establish its intention to offer such services to European data subjects.
However, the website’s availability in an EU language which is outside the Controller’s jurisdiction, the offering goods/services in an EU currency or, unsurprisingly, the explicit targeting of EU citizens, could provide sufficient proof of intent and pull the business within the GDPR’s scope.
For example, if non-EU businesses meet at least one of the following criteria, then GDPR is applicable:
-International telephone numbers are mentioned on their website for contact purposes;
-Top level domains of an EU Member State (i.e. .eu, .ie, .de) are used;
-Options to translate the contents of the website to an EU language are provided;
-Options to convert any amount of money to EU; and,
-Advertising to attract EU users (leveraging existing EU clients or users as advertising material).
To exemplify the above, if a Thai company with no EU subsidiaries has an e-shop in Dutch on which it offers goods with the possibility to order it using Dutch language and pay in EUR, accepts the offers of EU citizens and deliver its goods to them, then one could safely say that the Thai company targets Dutch consumers (and therefore EU citizens). Due to this, the Thai company is subject to GDPR. Similarly, an American company offers a mobile phone application to American users, and the application collects location data. Then, an American tourist uses the application while travelling in Spain. GDPR still applies to these data and the company must comply with the Regulation for the duration of that tourist’s holiday in Spain.
Obligation-Designation of a Representative
The GDPR requires overseas Data Controllers and Processors falling within its scope (and whose processing is not occasional) to designate an EU-based representative (Article 27) who will act on their behalf as well as the point of contact for the relevant DPA, and who are also subjected to certain record keeping requirements as well as receiving enquiries and complaints. The designation of such a representative does not affect the responsibility or liability of the Controller or of the Processor under this Regulation. The designated representative should also be subjected to enforcement proceedings in the event of non-compliance by the Controller or Processor. However, the GDPR fails to include an appropriate enforcement mechanism within the text itself, only declaring that the designation of the representative should be subject without prejudice to enforcement proceedings against him in case of non-compliance of the Controller or the Processor. Τo this end and given the new fines foreseen by GDPR (Article 83 par 4. a), DPAs have to continue to apply pressure indirectly to Data Controllers and Processors through EU-based representatives.
Our law firm’s comment οn this topic:
 Due to the extraterritorial scope of the GDPR set by article 3, the Regulation will be applicable irrespective of whether the actual data processing takes place within the EU or not. Whether this goal will be achieved or not, one thing is certain; the GDPR will undoubtedly change how multinational organizations operate globally regarding the collection, use and protection of personal data of all citizens within the EU.
-------------------------------------------------
* Ioanna Michalopoulou LL.M. |CIPP/E , Managing Partner Michalopoulou & Associates
40, Ag. Konstantinou st. | “Aithrio” Business Center (Α 16-18), 15 124 Marousi | Athens | Greece, T: 210 330 52 30 | F: 210 330 52 32, imicha@lawgroup.gr | www.lawgroup.gr

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld her find
Read more

The Lawyer's right to refuse the defense of an accused person for ethical reasons

Image
by Giorgos Kazoleas, Lawyer LL.M. Lawyers have the right to refuse to undertake a case when it conflicts with their moral principles, their dignity and conscience. Both the Code of Lawyers in Greece and the Code of Lawyers 'Ethics in Cyprus provide the legal framework to support this choice.   The Greek Legislation The lawyer's right to refuse the defense of a specific defendant in a criminal trial clearly follows from the wording of article 37 of the Lawyers' Code (Law 4194/2013). According to paragraph 1 of this article, the lawyer has an obligation to undertake any case, unless it is manifestly unfounded, not amenable to defense, conflicts with the interests of other clients or goes against his/her principles. According to paragraph 2, the lawyer must undertake the defense of any accused, if requested by the judicial authorities, subject to paragraph 1. The reasons for refusing to undertake a case are expanded by article 6 of the Greek Code of Ethics of the Legal Pro
Read more

First judgment of the ECHR: Lawless v. Ireland

Image
60 years ago, on 14 November 1960, the Court delivered its first judgment, Lawless v. Ireland, with René Cassin as its President. The judgment concerned preliminary objections and procedural questions regarding the application, on which a judgment on the merits was delivered the following year. Since its inauguration the Court has delivered 23,291 judgments on just over 51,650 applications. The case was filed by Gerard Richard Lawless, who had been an IRA member, although he claimed to have left the IRA. He was arrested on 11 July 1957, as he was about to travel to Great Britain from Ireland, and subsequently detained under the special powers of indefinite detention without trial under the Offences against the State (Amendment) Act 1940. The case was filed by Lawless for violation, by the Irish Government, of Articles 5, 6 and 7 of the European Convention of Human Rights, providing rights to liberty and security, fair trial and the principle of 'no punishment without law'
Read more

Sanction imposed on judge for Facebook posts concerning matters of public interest infringed his freedom of expression (ECtHR)

Image
In Chamber’s judgment   in the case of Danileţ v. Romania (application no. 16915/21) the European Court of Human Rights held, by a majority (four votes to three), that there had been a violation of Article 10 (freedom of expression) of the European Convention on Human Rights. The case concerned a disciplinary sanction imposed on a judge by the National Judicial and Legal Service Commission for posting two messages on his Facebook account. The Court found that the domestic courts had failed to give due consideration to several important factors, in particular concerning the broader context in which the applicant’s statements had been made, his participation in a debate on matters of public interest, the question whether the value judgments expressed had been sufficiently based in fact and, lastly, the potentially chilling effect of the sanction. In addition, the existence of an attack on the dignity and honour of the profession of judge had not been sufficiently demonstrated. In the
Read more

Politically Exposed Persons (PEPs): What and Why?

Image
By Christina Poursanidou, Lawyer Politically Exposed Persons (PEPs) are considered as high-risk individuals for financial institutions and obliged entities, which justifies the application of additional Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) preventive measures with respect to business relationships with them. But who is considered as a PEP and why being a PEP poses a risk? The Financial Action Task Force (FATF) has defined a PEP as an individual who is or has been entrusted with a prominent public function, while the Article 3 par. 9 of the 4th EU AML Directive (AMLD) repeats the definition of the FATF and provides a list of particular political positions, which make somebody a PEP. It is crucial to note that both FATF and EU have included in the scope of PEPs, the family members and close associates of PEPs, which means that not only the persons with have been entrusted with prominent public function are considered as high-risk, but also their family member
Read more

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

Image
One of the highest fines for violation of unfair competition law has been imposed (28/4/2020) on online hotel booking platform ‘’Booking.com’’ by the Hungarian Competition Authority. The amount of the fine (approximately EUR 6 million / HUF 2.5 billion) imposed by the Authority illustrates the seriousness of the Dutch company's violations. The Hungarian Competition Authority (GVH) imposed a fine of HUF 2.5 billion on the operator of the online booking portal booking.com, and at the same time banned the Dutch company from continuing its aggressive sales methods. According to the decision of the competition authority, Booking.com B.V. engaged in unfair commercial practices against consumers by, among other things, misleadingly advertising some of its accommodations with a free cancellation option and exerting undue psychological pressure on consumers to make early bookings. As a result of the Competition Authority’s competition supervision proceeding  initiated in 2018, the autho
Read more

Graduate Programme 2024 for EU Nationals in European Central Bank

Image
European Central Bank (ECB) is looking for 15 highly talented recent graduates with a postgraduate degree, eventually a PhD, for the ECB’s Graduate Programme offering full time monthly net salary €4,611 plus benefits. General Information  Type of contract: Two-year fixed-term contract starting on 1 September. It may be extended for one additional year upon successful completion of the programme. Who can apply?  EU nationals Salary  E/F (bracket 1 - step 1) full time monthly net salary: €4,611 plus benefits, for further information see  here . Working time:  Full time Place of work:  Frankfurt am Main, Germany Closing date:  21.02.2024 ECB is looking for 15 highly talented recent graduates with a postgraduate degree, eventually a PhD, for the ECB’s Graduate Programme.  You will have different ages, backgrounds and interests and will find intellectual challenges, varied opportunities and a people-centred working culture that gives you a voice and the chance to make an i
Read more