Has anyone spoiled a perfectly fine day by telling you that – though you own a non-EU company – the GDPR might still apply to you?
Are you wondering how a piece of EU legislation might create obligations upon you – when you’ve only been there as a tourist, and even that was in 5 BCE (Before Covid Era)?
Would you like to understand when, exactly, your non-Eu company is subject to the provisions of the GDPR (so you can stop doing whatever triggers it right now)?
We get you. The fact that the GDPR does, indeed, create obligations upon some non-EU companies might seem a) weird and b) fairly annoying to those involved.
In this article, we’ll take a look at the territorial scope of the GDPR and explain when and why it affects you.
Keep in mind this is just an overview: our goal is to help you grasp the basics of the matter, not to provide legal advice. If you want to assess whether the GDPR applies to your specific non-EU company, you need to speak with a lawyer.
GDPR for non-EU companies: Article 3 GDPR
The GDPR provision regulating its territorial scope (a.k.a. telling the reader where the thing applies) is Article 3.
According to Article 3,
«1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.»
Unless you are an ambassador or something of the kind, forget about sub-clause 3. Instead, let’s focus on the other two subclauses and the criteria they set forth: the “establishment” and the “target criterion, respectively.
GDPR for non-EU companies: the “establishment” criterion
We’ll only touch on this one since it’s more likely that you fall under the so-called “target” criterion.
The key concept is that if you have an establishment in the EU, the GDPR applies to all data processing activities relating to that establishment.
You might think what we mean to say is, “if you are based in the EU, the GDPR applies.” But it’s more complicated than that.
It’s true that if your company is headquartered or has a branch with legal personality in the Union, the GDPR applies.
But “establishment” (you’ll notice sub-clause 1 doesn’t use the word “based”) is a much broader concept than “headquarters,” “branch,” “registered office,” or whatever else you are thinking about.
As the European Data Protection Board (EDBP, the entity responsible for ensuring consistent application of the GDPR) clarified in 2019,
«[…] an “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.“»
So it’s not enough to say “I’m not based in the EU” to exclude the relevance of the GDPR. If you exercise activities in the EU through “stable arrangements,” you fall under the provisions of Article 3(1), and the GDPR applies to you.
GDPR for non-EU companies: the “target” criterion
What if you don’t have anything even remotely resembling an “establishment”?
Well, according to Article 3(2), the GDPR might still apply to your non-EU company if:
- you offer goods or services to people in the EU, or
- you monitor the behavior of people in the EU.
Let’s take a closer look at these two scenarios.
Non-EU Companies offering goods or services to people in the EU
Not a remote hypothesis in today’s world, right? Many companies run global businesses and work with clients from all over the globe. Well, if said clients are in the EU, the GDPR applies. Even if you offer your goods or services for free, as Article 3(2) clarifies (pay attention to that «irrespective of whether a payment of the data subject is required» part).
Having said that, the EDPB has clarified that merely having a product or service that could inadvertently or incidentally be used by an EU-based person is not enough to trigger the applicability of the GDPR.
For the GDPR to apply, the intention of offering such products or services must be ascertained.
And how do you ascertain it?
There’s no one-size-fits-all answer here, and again, if you doubt your situation, we recommend you contact a lawyer.
However, the EDPB has listed several elements that could be taken into account, such as:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
- The data controller offers the delivery of goods in EU Member States.»
Some of those elements might suffice on their own, while others should be evaluated in combination with one another. Again, if you think you fall under one or more of these categories, we suggest you seek legal advice.
Non-EU Companies monitoring the behavior of people in the EU
And here we come to what is likely the most common scenario: the monitoring of the behavior of people in the EU.
According to Recital 24, GDPR,
«[…] In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.»
This is already a fairly broad definition since most tracking tools commonly used in digital marketing would fall under it.
And yet, the EDPB guidelines make it even broader. As we can read on page 19,
«[…] the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.»
GDPR for non-EU Companies: how is that possible?
Ok, so you’ve read all of the above and (hopefully) understood whether the GDPR applies to your non-EU company.
What you might still not understand is the how. How is that possible? What gives the *European* Union power to regulate the conduct of people who don’t live there?
To answer your question, we’ll ask you to forget for a moment about the GDPR and think about oil.
Coconut oil, to be more specific.
Imagine your company produced coconut oil in a non-EU country. Would you have to stick to European regulations when making your oil? Obviously, not. You could happily ignore them.
But what if you wanted to export your coconut oil to the EU and sell it to European customers?
Then you would have to comply with the provisions that regulate the import of goods under EU law. And the reason is fairly obvious: when your product “enters” the EU space, EU rules apply.
The principle underlying Article 3 is the same. Of course, here we have an added difficulty: since many activities that involve cross-border data processing happen through the internet, it’s harder to visualize them “entering” the EU space.
But that’s what happens when you “offer products or services” or “monitor the behavior” of “people in the EU.” The very wording of the article, mentioning physical presence (“people in the EU“) rather than citizenship or residence, confirms that the territorial link is what matters.
So Article 3 doesn’t deviate from any basic national or international law principle. It just tries (with obvious difficulties) to adapt them to the internet era.
In Conclusion: what should you do if the GDPR applies to your non-EU Company?
Finding out you’re required to comply with the GDPR even though you own a non-EU company might sound like a (how do we put it nicely?) hassle.
Of course, if you think your EU-based clients are not worth it, you can always change your practices so that the GDPR will no longer apply to you in the future (for example, you can stop monitoring their behavior).
But keep in mind that data protection will remain a critical topic in the years to come. Sooner or later, your country might adopt legislation mirroring the GDPR – as many already have.
So it’s a good idea to consider data protection, not as a burden but as an added benefit you offer your clients.