For some individuals, understanding the implications and applications of geography in relation to GDPR compliance can be challenging. While compliance with the GDPR is standard practice for businesses within the European Union, non-European companies may not be as familiar with the regulations.
In this blog post, we will explore the importance of considering geography when it comes to GDPR compliance. This includes not only the compliance of the companies themselves but also the impact on their business based on the locations where they operate, whether intentionally or unintentionally.
If you are a US-based company that sells to European customers, GDPR compliance is a requirement. However, if you are a US company that does not sell to Europe but collects analytics data on European visitors, you may still need to comply with GDPR regulations. We will delve into the specific situations where non-European companies must adhere to GDPR rules, particularly those outlined in Article 3 on a territorial scope.
By the end of this blog post, you will better understand the potential implications of geography on GDPR compliance for non-European companies.
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless if the processing takes place in the Union or not
As per this law section, the term “establishment” should be interpreted broadly and flexibly. An organization is established if it carries out any real and effective activity with stable arrangements in Europe. Therefore, if you have a legal representative in Europe with a contact address or a bank account for providing services, the data processing related to the activities of this entity will be subject to the GDPR requirements. Similarly, if your sales offices in the EU promote, sell or advertise products or services targeted toward European residents, GDPR regulations will also apply to the associated data processing activities.
The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
The organization must make it clear that it intends to direct its activities towards data subjects in the EU, regardless of whether a payment is required for the goods or services offered. This can be demonstrated through various means, such as using an EU language/currency, allowing orders to be placed in that language, referencing EU users or customers, paying for marketing activities directed at EU users, having EU phone numbers, using EU top-level domain names, and so on.
The monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union
If an online business is monitoring the behavior of users within the EU, then they must comply with the requirements of GDPR. This includes using various web analytics tools, as well as tracking for personalization purposes. It applies to website visits from users within the EU, regardless of whether they are EU citizens or not. However, the rule is often interpreted as not applying to the monitoring of EU citizens who are located outside of the EU at the time of the website visit.
If you have a contract with a client from within the EU or a client applying GDPR
This scenario pertains to an agency or company based outside of the EU that is performing work for clients within the EU that involves personal data, such as email marketing, web analytics, and data storage. In this situation, the company or agency is considered a data processor, while the client is a data controller. As a result, their relationship must be governed by the data processing contract outlined in Article 28 of the GDPR. The data processor is only permitted to carry out actions specified in the contract and must implement all measures as stated. Since the data controller must comply with the GDPR, the contract should require the data processor to utilize methods and measures that adhere to the GDPR. This means that indirectly, the data processor must be able to comply with GDPR.
To be more specific, the contract between the data processor and their EU client should outline that the processor:
- Processes personal data only as directed by the controller
- Implements measures for data security purposes
- Assists the controller in fulfilling their obligations to respond to data subject requests, outlined in Chapter III of the GDPR, by using appropriate technical and organizational measures, as far as possible
- Assists the controller in complying with obligations outlined in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and available information.
Understanding GDPR Compliance Implications for Non-European Companies
It is essential for non-European companies to understand the implications of geography on GDPR compliance. The regulations apply to companies that sell to European customers and those that collect data from European visitors or perform work for European clients. The definition of “establishment” is broad, and companies with a legal representative or sales offices in Europe may be subject to GDPR requirements.
If you are running 50+ websites for your company, it is important to make sure they are all GDPR compliant. To help you out, we have put together a checklist of procedures you need to follow. This way, you can ensure that you are meeting all the requirements of GDPR for your website portfolio and keeping your users’ personal data safe and secure.