EU’s General Data Protection Regulative (GDPR) comes into force on May 25.
As many EU-based personal data handlers count down the days until GDPR becomes effective hoping for the best, a burning question for non-EU personal data handlers remains – ‘does GDPR apply to my business or not’?
The stakes are pretty high, bearing in mind the draconian punishments GDPR prescribes for the breach of its provisions. That is why figuring out its extraterritorial application is crucial for non-EU entities.
As per GDPR, it is applicable 1) on personal data controllers/processors established in EU, regardless of whether the processing takes place in the EU or not (territorial application); 2) on personal data controllers/processors not established in the EU when processing the EU citizens’ personal data, as long as the processing activates relate to either a) offering of goods or services, irrespective of whether a payment of the data subject is required; or b) monitoring behavior of EU citizens, as far as their behavior takes place within the EU (extraterritorial application).
The latter can cause a lot of confusion when it comes to its practical application. What does extraterritorial application of GDPR actually mean in practice and how can one easily ascertain whether it is subject to GDPR?
According to Article 29 Working Party’s GDPR General Information Document, in order for GDPR to be applicable to a non-EU entity, it is necessary for such entity to target EU citizens in a way that it offers them goods and services proactively, i.e. to monitor EU citizens’ behavior taking place in EU and making decisions based on such monitoring results.
For example, if a Serbian company owns a website on German language on which it offers goods with the possibility to order it using German language and pay in EUR, accepts the offers of EU citizen’s and deliver its goods to them, than it is safe to conclude that such Serbian company targets Germans/Austrians, i.e. EU citizens, therefore, such company is subject to GDPR.
In order to consider a non-EU entity to be offering goods and services to EU citizens, it should be obvious that such entity targets the EU citizens in order to offer them goods and services. When it comes to monitoring of EU citizens’ behavior as the other case of extraterritorial application, monitoring of their behavior happening in EU needs to exist, meaning, a non-EU data handler needs to perform tracking and profiling of EU citizen, online, for example, so it can predict their behavior and make decisions based on such monitoring.
Therefore, it can be argued that simply processing EU citizens’ personal data without the elements of offering goods/services, targeting and monitoring, does not qualify a non-EU entity as a subject to GDPR, especially given that it is safe to assume that a vast number of non-EU entities may have EU citizen’s personal data in their data bases for many other reasons.
Regardless of whether a Serbian company qualifies as a GDPR subject, it is hard to imagine any negative effects a company may have if it becomes GDPR-compliant, even it doesn’t have to. For example, a company can be considered a more desirable partner if it is GDPR –compliant, and for Serbian entities, GDPR compliance process pretty much means being compliant with the new Serbian Data Protection Act, which draft greatly relies on GDPR and is expected to come into force in near future.