Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.
Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.
Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU
The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.
Recital 23: “Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.”
That provision answers the above question: a website that is simply accessible by a global audience in itself would not indicate intention of “offering goods and services” to EU citizens, and, on its own, would not necessarily subject an organization to the GDPR. However, other conditions do exist, so let’s not stop here. Recital 24 includes additional aspects for consideration.
Recital 24: “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
According to the above text from the GDPR, organizations may demonstrate "intention of offering goods and services" to EU citizens under the following circumstances:
- The organization provides the option to interact with the website in the native language and currency of an EU Member State; and/or
- The organization advertises its customers or users (i.e. testimonials) that are in based in the union with the goal of appealing to other users in the same locality.
The Court Justice of the European Union offers good clarification on the topic of “intention” in relation to offering your product to EU citizens, and how it can be demonstrated under the following conditions:
- “Patent” evidence, such as the payment of money to a search engine to facilitate access by those within a member state or where targeted member states are designated by name;
- Other factors — possibly in combination with each other — including the “international nature” of the relevant activity (e.g. certain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu), the description of “itineraries ... from member states to the place where the service is provided,” and mentions of an “international clientele composed of customers domiciled in various member states.”
Drawing from the main points in the above statements, it should be noted that organizations should further examine their obligations under the regulation where they:
- Include international telephone numbers on their website for contact purposes;
- Use top level domains of an EU Member State (i.e. .eu, .ie, .de);
- Provide options for EU language translation;
- Provide options for EU currency conversion; and,
- Advertising to attract EU users (leveraging existing EU clients or users as advertising material).
If your organization meets at least one of the above criterion, it may be a good time to prompt a review and determine if you’re required to comply with GDPR’s requirements. Where in doubt, always seek legal advice.
Criterion 2. If your business monitors the behavior of EU citizens and their behavior takes place within the union.
The regulation also uses the word “monitoring” in relation to organizations’ processing activities and may be unclear as to its true meaning and how it applies. To gain better understanding, we can use guidance provided by Recital 24 of the regulation; specifically, “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”
The above excerpt appears to refer to online monitoring and could be associated with behavioral-based advertising that creates profiles based on the data subject’s actions. Monitoring in the GDPR framework is also referred to as “profiling,” and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, etc. It’s also important to note that Article 29 Working Party does provide other examples of monitoring including, but not limited to:
- Online behavioral based advertising;
- Travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
- Location tracking, for example, by mobile apps; and
- Monitoring of wellness, fitness and health data via wearable devices.
Article Working Party 29 suggests that organizations should consider all forms of behavior monitoring, including CCTV, smart cars, home automation, etc. With the wide scope of profiling behavior, organizations should evaluate their current online and offline operations to determine if they will be classified under the monitoring requirement. Organization should also consider “monitoring” in circumstances where they collect data on their employees inside and outside of the workplace, including BYODs, MDM solutions that track location and company owned vehicles with tracking devices.
Clearly, given the wide net this regulation captures, information technology leaders and process owners of all organizations should prioritize assessing a formal conclusion on GDPR’s applicability, as the deadline is almost upon us. If you are unsure if your organization falls into scope of Article 3’s criteria, you should seek the advice from a privacy expert and your legal advisors.
photo credit: Noble Research Institute 2016_11_04_RM_TBD_PecanScabLabYaninaAlarcon_008 via photopin (license)