Although
the General Data Protection Regulation (GDPR)* was passed more than three years
ago and entered force more than one year ago, there is still confusion and
misconception about the regulation’s sphere of
impact.
In
a new series of posts, I will share some advice** drawn from experience in
projects that I have conducted since the inception of the regulation, but also include updated guidelines that the European Data
Protection Board (EDPB) recently published*** regarding the regulation’s territorial scope
(Art.3 GDPR). To avoid amendments and
editorial notes to my original post under this subject, I offer below a
complete rewrite.
Although I encourage everyone to read the
provisions of the GDPR as well as the above mentioned EDPB guidelines (which
illustrate typical cases by example), here are the major takeaways regarding
the GDPR's territorial scope:
- GDPR is a regulation to protect personal data of individuals ("data subjects") who are physically present – and may it only be temporarily - in the EEA (European Economic Area – which includes all EU member states plus Iceland, Liechtenstein and Norway). Data subjects’ protection rights are not dependent on their citizenship or residency.
- All organizations worldwide whose activities "intentionally, rather than inadvertently or incidentally, target" individuals being in the EEA are obligated to comply with the GDPR.
- Organizations established in the EEA have additional obligations: They must comply with GDPR regardless of where in the world data subjects are located.
The following matrix shows under which conditions GDPR applies:
However, in a world of international trade and high mobility of individuals, organizations can obviously not control the
data subjects’ whereabouts while a business transaction takes place or
thereafter. (Even data subjects’ IP addresses captured during electronic
communications do not prove presence in or absence from a certain territory
since individuals can legitimately – and will increasingly – hide their real
geographical location by employing Virtual Private Networks.) Therefore, I recommend that organizations as of row B conduct all their activities related to processing personal data in a GDPR-compliant manner.
From a practical perspective, the above matrix can then be simplified as follows:
In conclusion,
any organization offering products or services worldwide must presume, by
default, that GDPR applies to them. On the complementary, non-EEA businesses
whose commercial target area is outside of the EEA will be exempt from GDPR
compliance.
From a practical perspective, the above matrix can then be simplified as follows:
* Published at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679
** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.
*** Published at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf
** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.
*** Published at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf
