On November 23, 2018, the European Data Protection Board (EDPB) issued draft guidelines (Guidelines) relating to the territorial scope of the GDPR. The Guidelines help clarify the scope and applicability of the GDPR with respect to data controllers and processors outside the European Union (EU).
The Guidelines state that data controllers and processors targeting data subjects in the EU will be subject to the GDPR even if the data controller or processor is not established in the EU. In assessing whether an entity is “targeting data subjects in the EU”, the Guidelines recommend employing a twofold approach: first, assessing whether the processing relates to the personal data of data subjects in the EU; and second, assessing whether the processing relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the EU.
According to the Guidelines, a data subject in the EU refers to any person in the EU whose information is being collected, regardless of their nationality or legal status. This broad definition includes visitors temporarily in the EU. However, processing personal data of an individual in the EU is not on its own sufficient to trigger the application of the GDPR. Entities must target EU data subjects with offers for goods or services or monitor their behaviour in order for the GDPR to apply. The Guidelines provide a set of factors to consider when determining whether an intention to offer goods and services exists or an entity is monitoring a data subject’s behaviour.
Summary By: Jae Morris