Territoriality of GDPR
Organizations are long in confusion whether one needs to comply with GDPR even if it does not process data in European Union. This question takes far more detail, insight and investigation, advisory to be answered but still briefly we can say ‘Yes’ to it.
Territoriality of General Data Protection Regulation and the scope it holds and foresees, is a broad concept as it is comprised of some concepts that are not clearly explained through the Regulation.
An instance is the concept of establishment. Regulation foresees the compliance of EU-established organizations and also organizations wherever they could be who offer goods to individuals in the EU or who monitor individuals in the EU. Article 3(1) also offers an insight to the concept of establishment which might seem a bit controversial to the preceding conditions as it obligates data processors or controllers that are established in the EU, regardless of whether the processing takes place in the Union or not. Contrary to the first impression and appearance of the concept, it is not about legal incorporation of an organization in a country in or outside the EU. It regards to necessary human and technical competencies in the sense of resources available for business activities. See ‘Weltimmo’, an advertising enterprise incorporated in Slovakia but targeting and operating in the Hungarian market for instance. Weltimmo was a Slovakia-incorporated business, still since its operations’ initiation it had a website in Hungarian, targeted Hungarian market, held a Hungary office for necessary business and legal corresponding. Hungarian Data Protection Authority took action against Weltimmo making a case of it to the attention of Slovakian DPA. Resulting decision was that Weltimmo literally operating in any activity of its business should be applied to Hungarian data protection law by the final decision of the Court of Justice of the European Union. This was a clear indication that Weltimmo was considered to be an establishment in Hungary.
A similar instance in Spain regarding the search engine Google and its subsidiary in Spain also took place right after a complaint brought by a Spanish citizen. He was intending to claim his right to be forgotten but because of the business model Google used for advertising, his name and some information or photo popped up in the search engine, even though Google did not take any action or business order for this to happen, Court of Justice of the European Union still found an ‘inextricable link’ between the activities. This decision also point out to the consideration that any organization who operates somehow through its sale offices or various marketing channels targeting individuals in the EU, will be obliged to comply and operate within the regulation.
Non-EU established organization, on the other hand, are considered to be operating under the Regulation as long as they offer goods and sell to individuals in the EU or monitor their behaviour such as item purchasing habits. These articles in fact miss quiet an important issue. It is not clearly stated in the regulation whether non-EU established organization that offer services or sell goods to EU businesses, not individuals, fall within the scope of the regulation.
Moreover, it does not follow that it is sufficient to be considered under the Regulation only to sell goods to an individual in the EU. There are more factors like, use of an EU language and reference to EU customers.