Who Must Comply

Increased Territorial Scope

The territorial scope of the GDPR has increased relative to its predecessor. The scope is covered by Article 3 of the legislation;

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    1. (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    2. (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Naturally as you would expect the legislation applies to entities who have a location within the EU.

Where this legislation diverges is that it also encompasses entities who are offering goods or services to anyone residing in the EU, even if those services are provided free of cost.

So any global business either has to become compliant for all of its users/customers or be able to accurately identify EU residents and enable compliant systems to handle only that subset of the customer base.

Building and maintaining two separate information systems is no practical or cost effective, and the downside risk of making a mistake is too large to make it acceptable. It has therefore become normal practice for businesses to apply GDPR compliant information systems to all users, regardless of location.

To remove ambiguity, Recital 23 clarifies this position further;

Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

A non-exhaustive list to help establish whether or not a firm falls under the scope of GDPR;

  • The entity website can be accessed by EU residents
  • The entity’s email or ontact details can be accessed by EU residents
  • The entity is located in a non-EU state with a principle language which is the same as an EU state
  • The entity markets goods or services in the principle language used by an EU member state
  • The entity lists prices in EU member currency (Euro, £, Swiss Franc, Kronor)
  • The entity cites EU customers

This allows firms to establish they do not fall under the scope of GDPR by blocking their wesbite from EU IP addresses and rejecting email from EU mailservers.

The language aspect is more of an arguable point. English is the main language of the UK and Spanish the principal language of Spain, but English and Spanish are two of the three most spoken lanaguages in the world, and not the preserve of the EU.

General consensus (which will be put the test in case law) is that use of English or Spanish is unlikely, on its own, to constitute an attempt to market to spcifically to EU residents, whilst marketing in Dutch, Danish or Flemish would.

Exemptions and Derogations

While the GDPR has broad implications for commerce, it nonetheless exempts certain entities or activities from compliance. Below is a non-exhaustive review of key exemptions.

There are exemptions for certain activities. Personal or household activity is the main one covered by article 2(c);

“by a natural person in the course of a purely personal or household activity”.

Grandfathering of previously collected data

The legislation does not allow for grandfathering of previously collected data, unless that data was collected under conditions which would now pass GDPR compliance tests.

Data controllers have the chouce of either attempting to obtain retrospecitve consent from the data subjects or stop processing that subject’s data.