TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout
S18_Web_300x250-COPY
OneTrust_PrivacyConnect_banner_ads_300x250_v3_012418
PrivacyTraining_ad300x250.Promo1-01

Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused  while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.

Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.

Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU

The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.

Recital 23: “Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.”

That provision answers the above question: a website that is simply accessible by a global audience in itself would not indicate intention of “offering goods and services” to EU citizens, and, on its own, would not necessarily subject an organization to the GDPR. However, other conditions do exist, so let’s not stop here. Recital 24 includes additional aspects for consideration. 

Recital 24: “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

According to the above text from the GDPR, organizations may demonstrate "intention of offering goods and services" to EU citizens under the following circumstances:

  • The organization provides the option to interact with the website in the native language and currency of an EU Member State; and/or
  • The organization advertises its customers or users (i.e. testimonials) that are in based in the union with the goal of appealing to other users in the same locality.

 The Court Justice of the European Union offers good clarification on the topic of “intention” in relation to offering your product to EU citizens, and how it can be demonstrated under the following conditions:

  • “Patent” evidence, such as the payment of money to a search engine to facilitate access by those within a member state or where targeted member states are designated by name; 
  • Other factors — possibly in combination with each other — including the “international nature” of the relevant activity (e.g. certain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu), the description of “itineraries ... from member states to the place where the service is provided,” and mentions of an “international clientele composed of customers domiciled in various member states.”

Drawing from the main points in the above statements, it should be noted that organizations should further examine their obligations under the regulation where they:

  • Include international telephone numbers on their website for contact purposes;
  • Use top level domains of an EU Member State (i.e. .eu, .ie, .de);
  • Provide options for EU language translation;
  • Provide options for EU currency conversion; and,
  • Advertising to attract EU users (leveraging existing EU clients or users as advertising material).

If your organization meets at least one of the above criterion, it may be a good time to prompt a review and determine if you’re required to comply with GDPR’s requirements. Where in doubt, always seek legal advice.

Criterion 2. If your business monitors the behavior of EU citizens and their behavior takes place within the union.

The regulation also uses the word “monitoring” in relation to organizations’ processing activities and may be unclear as to its true meaning and how it applies. To gain better understanding, we can use guidance provided by Recital 24 of the regulation; specifically, “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”

The above excerpt appears to refer to online monitoring and could be associated with behavioral-based advertising that creates profiles based on the data subject’s actions. Monitoring in the GDPR framework is also referred to as “profiling,” and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, etc. It’s also important to note that Article 29 Working Party does provide other examples of monitoring including, but not limited to:

  • Online behavioral based advertising;
  • Travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
  • Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
  • Location tracking, for example, by mobile apps; and
  • Monitoring of wellness, fitness and health data via wearable devices.

Article Working Party 29 suggests that organizations should consider all forms of behavior monitoring, including CCTV, smart cars, home automation, etc. With the wide scope of profiling behavior, organizations should evaluate their current online and offline operations to determine if they will be classified under the monitoring requirement. Organization should also consider “monitoring” in circumstances where they collect data on their employees inside and outside of the workplace, including BYODs, MDM solutions that track location and company owned vehicles with tracking devices.

Clearly, given the wide net this regulation captures, information technology leaders and process owners of all organizations should prioritize assessing a formal conclusion on GDPR’s applicability, as the deadline is almost upon us. If you are unsure if your organization falls into scope of Article 3’s criteria, you should seek the advice from a privacy expert and your legal advisors. 

photo credit: Noble Research Institute 2016_11_04_RM_TBD_PecanScabLabYaninaAlarcon_008 via photopin (license)

3 Comments

If you want to comment on this post, you need to login.

  • comment Valentin Conrad • Jan 29, 2018
    And what is the case if an EU company assigns a non-EU company as a subcontractor (which is based in a reliable country) ? Is this non-EU company directly subject to the GDPR? I would say no. But the subcontractor would indirectly be subject to the GDPR because the controller will include an obligation to comply with GDPR in the subcontractor contract.
  • comment Jeroen Terstegge • Feb 2, 2018
    The article is flawed on several points:
    
    1. The article focuses exclusively on art. 3(2) GDPR. However, as the European Court of Justice has pointed out in the Costeja case, the criterion of “processing in the context of the activities of an establishment of a controller ... in the Union” in art. 3(1) may also result in the applicability of the GDPR to controllers that are not themselves established in the EU, but where the personal data are processed by such controller in the context of its European establishment.
    
    2. The article - like many articles about the GDPR on the internet - suggests that the GDPR applies to ‘EU citizens’. As the EU considers the right to data protection a fundamental right (art. 8 CFREU), the protection of the GDPR applies to everybody who happens to be within the scope of EU law (see recital 2:... “whatever their nationality or residence”....). Ergo, the GDPR, especially art. 3(2)(b), also applies to non-EU citizens who are in the EEA. For example, if an American tourist in Amsterdam uses an all-American app on his phone which collects location data, the GDPR applies to such data and the company in the US which places the app on the (American) market must comply with the GDPR for the duration of that tourist’s holiday in Amsterdam. Not that the DPA’s firebrigade will deploy and raid their offices if it doesn’t, but the GDPR applies nonetheless. Note that if that American tourist happens to fly KLM back home, the GDPR only ceases to apply when he deplanes in the US :-)
    
    3. The article suggests that monitoring is the same as profiling as defined in art. 4(4) GDPR. Where the Article 29 Working Party in its draft opinion on profiling links profiling/automated decision making to monitoring, the term ‘monitoring’ is much wider. All observed personal data for the purpose of recording behaviour, attendance, performance, location, etc, qualifies as monitoring, even if there is no automated analysis or profiling attached.
  • comment Kevin Kish • Feb 2, 2018
    Thanks for the comment Jeroen.  I agree with your points an hope to clarify.
    
    Regarding the applicability of the regulation on organizations inside and outside of the EU, specifically that the regulation places equal emphasis on organizations, regardless if they are in the union (or not).  Although this is noted in the second paragraph (“it’s important to note that this criterion below is applicable to organizations even where the processing of personal data takes place outside of the EU”), there is room certainly room better highlight this with the other criteria of Article 3.
    
    Same agreement goes for the term “citizen” – you’re right on!  The regulation does not emphasize applicability based on a person’s citizenship – we need to be concerned with the location at which the data is collected (and subsequently transferred).  The term was meant to provide an example of, or a common concept of data collection from those individuals in the EU (simply put as citizen).  Great example by the way!
    
    Profiling and monitoring are interesting topics, I think that each of these concepts can arguably have their own deep-dive analysis.   The way that I looked at in this context was in the sense of monitoring of an individual’s behavior with techniques that consist of profiling (as referred to in Recital 24) to collect and make actionable decisions on that individual.  I do agree – monitoring does not equal profiling.
    
    Thanks for your input.  By the way, I really enjoyed your Article "The EU's privacy by default 2.0" -- great insights.