Privacy and Data Protection based on the GDPR. Leo Besemer
countries, however, have territories in other parts of the world, with varying degrees of autonomy. Based on Article 198 TFEU the EU recognizes nine of such territories as part of the EU: Azores and Madeira (Portuguese), Canary Islands (Spanish), French Guiana, Guadeloupe, Martinique, Saint Martin, Mayotte and La Réunion (French). These territories are within the territorial scope of the GDPR. Other overseas countries and European territories are not part of the EEA and in regards to the GDPR these are deemed “third countries”.
Figure 1.8 Map of the EEA (March 2020)
Special cases also include the Channel Islands and the Isle of Man, which are not part of the UK nor of the EU, and the Faroe Islands and Greenland which are autonomous parts of the Kingdom of Denmark but not part of the EU.
The geographical scope of the GDPR will probably vary again in future, both because of Great Britain leaving the Union and also as new countries have applied for EU membership. Bosnia-Herzegovina, Montenegro, Northern Macedonia, Serbia and Turkey were all declared “candidate countries”, whilst Albania and Kosovo have been declared “potential candidates”, which means they have a clear prospect of joining the EU in the future but have not yet been granted candidate country status.
In addition, the GDPR applies to processing of personal data by a controller not established in the EEA, but “in a place where Member State law applies by virtue of public international law”. Recital (25) gives the example of a Member State’s diplomatic mission or consulate. For the same reason the GDPR also applies to processing aboard ships that are registered in an EU Member State, regardless of wherever in the world the ship actually is.
Example: The Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate in Kingston is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law, renders the GDPR applicable to its processing of personal data.
Example: A German cruise ship travelling in international waters is processing data of the guests on board for the purpose of tailoring the in-cruise entertainment offer. While the ship is located outside the Union in international waters, the fact that it is a German registered cruise ship means that by virtue of public international law the ship is considered German territory. As a consequence, the GDPR is applicable to its processing of personal data, as per Article 3(3).
1.3.3.2 Targeting criterion
The absence of an establishment in the Union does not necessarily imply that a controller or processor established in a non-EEA country is excluded from the scope of the GDPR:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
GDPR Article 3(2)
The GDPR applies to processing related to trade (“the offering of goods or services”) and “monitoring of behavior” of persons who are in the European Union. But not in all cases. The company must have a clear intention to offer their products or service to individuals within the EU. The fact alone that the website is available in one or more European languages is not sufficient.
This has far-reaching consequences:
Example: A large Canadian online book store has websites in English, French, German and Spanish. The company advertises in European countries, offering 24/7 telephone customer services in those languages and customers can use a national phone number in a number of EU countries to contact the sales department.
An Argentinean citizen who happens to be visiting Paris (France) orders some books. Though the customer is not an EU resident and the company is not European, the processing needed for the transaction and delivery would be subject to the GDPR. The Canadian store should, being a controller according to the GDPR, have appointed a representative in the EU.
Example: A large Canadian online book store has websites in English, French and Spanish. The company advertises mainly in North and South America. An Argentinean citizen who is a regular customer and happens to be visiting Paris (France) orders some books. Processing in connection to this purchase would not be subject to the GDPR.
The fact that the books must be delivered in France is not enough to conclude that the company intends to do business in Europe. And indeed, if the Argentinean citizen orders e-books only, the Canadian online book store would not even know where the actual delivery takes place.
Note that the GDPR relates to “data subjects who are in the Union”. Often in literature you find this reformulated to “residents of the EEA”, which is incorrect. “Resident” implies that you live somewhere on a long-term basis.
As in the first case of the Argentinian citizen visiting Paris, the fact that the website targets the EU-market and that the Argentinian citizen is within the borders of the EEA are enough. You do not have to be a European resident to have your personal data protected by the GDPR.
__________________________________________________
1 Formally the “Treaty on the Establishment of the European Economic Community”.
2 Treaty on the Functioning of the European Union (TFEU), see Sub-section 1.1.1.
3 See the principle of proportionality explained in Sub-section 1.2.5.
4 TFEU Article 288, second paragraph.
5 TFEU Article 288, third paragraph.
6 TFEU Article 288, fourth paragraph.
7 TFEU Article 288, fifth paragraph.
8 TFEU Article 126, seventh paragraph.
9 Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
10 Proposal for Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).