One of the essential news brought by the European General Data Protection Regulation 2016/679 (GDPR) is represented by its broad territorial scope (Article 3) well exceeding the perimeter of the EU Member States: as a result a very wide variety of enterprises, companies and, in general, organizations located everywhere in the world and whatever is their business are required to comply with the GDPR provisions if such business is targeted to the EU how determined by the GDPR.
Providers of outsourced services such as IT support, HR & payroll services, insurance related services and, the providers of services integrated into the cloud services (i.e. storage systems operators, operation & maintenance managed services,..) whatever is their EU or not_EU establishment, when acting in the role of Processors or Controllers they are required to fulfill the relevant GDPR provisions when processing data in the context of their EU business. The meaning of the 'data subjects who are in the EU' plays a fundamental role in shaping the effective boundaries of the GDRP applicability for organizations not based in the EU: it is reasonable to do not limit the meaning to the physical location or the places of residence of the individuals and the Controllers/Processors will need to assess other elements such as the language adopted for marketing and selling their goods and services to EU potential customers.
About this point it is interesting to bear in mind a CJEU judgment of December 2010 about a case on determining the applicable jurisdiction for selling services by a web site (see the Curia Press Release: europa.eu\rapid\press-release_CJE-10-118_en.pdf): " In order to determine whether a trader whose activity is presented on its website or on that of an intermediary can be considered to be ‘directing’ its activity to the Member State of the consumer’s domicile, within the meaning of Article 15(1)(c) of Regulation No 44/2001, it should be ascertained whether, before the conclusion of any contract with the consumer, it is apparent from those websites and the trader’s overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member State of that consumer’s domicile, in the sense that it was minded to conclude a contract with them. The following matters, the list of which is not exhaustive, are capable of constituting evidence from which it may be concluded that the trader’s activity is directed to the Member State of the consumer’s domicile, namely the international nature of the activity, mention of itineraries from other Member States for going to the place where the trader is established, use of a language or a currency other than the language or currency generally used in the Member State in which the trader is established with the possibility of making and confirming the reservation in that other language, mention of telephone numbers with an international code, outlay of expenditure on an internet referencing service in order to facilitate access to the trader’s site or that of its intermediary by consumers domiciled in other Member States, use of a top-level domain name other than that of the Member State in which the trader is established, and mention of an international clientele composed of customers domiciled in various Member States. It is for the national courts to ascertain whether such evidence exists. On the other hand, the mere accessibility of the trader’s or the intermediary’s website in the Member State in which the consumer is domiciled is insufficient. The same is true of mention of an email address and of other contact details, or of use of a language or a currency which are the language and/or currency generally used in the Member State in which the trader is established."
From the 'behaviour monitoring' point of view the not_ EU based Controllers/Processors evaluation tasks about GDPR applicability will require their due attention since the meaning of 'behaviour' of an individual is not completely delimited by the Regulation and it can also include geo-location processing activities or other processing for example aimed at safety purposes of for protection of company assets, performed on the personal of workers of an organization, other than the 'typical' case of behaviour monitoring for marketing purposes performed in Internet by means of cookies or device fingerprinting techniques.
Lastly it is important to note that the practical enforceability of the GDPR, against not_EU based Controller/Processor which are to be considered in scope for the GDPR applicability, it appears as a hard task for the 28 Supervisory Authorities, inter alia it shall require strong coordination among them in order to avoid national based diversities in apply different economical values of administrative sanctions related to a same GDPR obligation which is in force in all the EU Member States: such situation would be unacceptable from several points of view. Furthermore it is noteworthy to underline that for the not_EU based Controllers/Processors in scope for the GDPR, it is provided a specific sanction in case they infringe the GDPR obligation (Article 27) requiring that they designate in writing a Representative in the EU: the fine is up to 10 million eur, in case of undertaking up to 2% of the total worldwide annual turnover, whichever is higher.
Please provide your reactions, considerations, contributions and proposals to address specific issues in LinkedIn Groups where this post appears or write to gloria.marcoccio@glory.it.