As the date of the full implementation of the 679/2016 Regulation draws nearer (May 25, 2018), it is important to understand who it refers to and where does it apply. For data subjects, it is useful to know where to turn to exercise their rights, and for companies this is even more crucial, in order to ensure that they operate in accordance to law.

The territorial scope of the Regulation is based on 4 criteria:

  • The first criterion concerns the establishment. The Regulation, in essence, applies to all controllers that are established in a Member State of the European Union, irrespective whether the data processing takes place within the Union or not. It follows that a European company must comply to the GDPR (General Data Protection Regulation) also when it processes personal data of non-EU citizens.

  • The second criterion concerns the location of the subject to whom the data and the services offered refer. In fact, the Regulation applies not only to European companies, but also to those located outside the EU (for example, an American company) when they process data from EU-nationals and offer them goods and services (such as offers via web services). This principle significantly increases the scope of application of the GDPR, since also the non-EU companies involved will have to comply with the Regulation.

  • The third criterion relates to the location of the subject to whom the monitoring refers. In other words, Regulation 679 also applies to organisations established outside the EU, if they monitor the behavior of EU residents. ‘Monitoring’ consists in profiling a natural person via the Internet, for example by analysing or predicting her or his personal preferences, habits, behaviors and attitudes.

  • The last criterion refers to the public international law. The Regulation also applies to organisations that are not established in the Union, but are subject to it by virtue of public international law.

What can be done in order to be compliant?

First of all, it is advisable to map all the processed data, in order to understand exactly how the data are handled and decide whether the processing operations are compliant to the GDPR. Subsequently, it is important to start implementing the new requirements in the upcoming data processing operations that fall under the 679/2016 Regulation.