Though General Data Protection Regulation (GDPR) was adopted in the European Union, it has extraterritorial force and also applies to non-EU companies which meet certain criteria.
Application of GDPR to EU and non-EU/EEA companies
The GDPR (i.e. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) applies to all companies which are based in the European Economic Area (EEA) and process (e.g. collect, store, use, disseminate etc.) personal data regardless of whether the data processing takes place: in the EEA or not. By the way, the EEA includes all the EU countries as well as Norway, Liechtenstein and Iceland.
Moreover, a company, which is not based in the EU/EEA country, also has to comply with requirements of the GDPR, if such company processes personal data of people who are in the EEA and its data processing activities are related to:
the offering of goods or services to data subjects in the EU/EEA (irrespective whether a payment is required from such data subjects), or
the monitoring of their behaviour which takes place within the EU/EEA.
It is worth noting that the GDPR applies to processing the data of individuals who are physically on the territory of any of the EU/EEA countries. This is not limited to citizenship, residence or other legal status in such countries.
Thus, the GDPR applies to non-EU/EEA companies which meet so called “targeting criteria”, for instance, if a non-EU/EEA company offers goods or services to people in the EU/EEA (for free or for a payment), i.e. targets the EU/EEA consumers. As the law-enforcement practice shows, it is enough for the European data protection authorities to find out that a company intends to offer goods or services to people in the EU/EEA. While assessing such intention, different factors are taken into account, for instance:
indicating prices in EUR on the company’s web-site,
placing information on the web-site in languages which are used in the EU countries,
offering an option to deliver products to the EU countries,
launch of marketing and advertisement campaigns directed at audience in the EU,
making payments to a search engine operator for a web-referencing service in order to facilitate access of the consumers in the EU to the website of the company;
using special top-level domain names (e.g. “.eu”, “.de”, “.fr”);
mentioning dedicated addresses or phone numbers for people from the EU countries;
providing travel instructions from any of the EU countries to the place of service provision;
mentioning clients from EU countries, etc.
For instance, if an on-line shop which is based in Switzerland indicates prices in EUR or offers to deliver products to Germany, such e-commerce business has to comply with GDPR requirements. Sending promotional e-mails to people who live in the EU countries is also subject to the GDPR..
Moreover, the GDPR also applies to those non-EU/EEA companies which monitor the behaviour of people in the EU/EEA, for instance: in case a Swiss company applies web tools on its website which allow to track cookies or IP addresses of those people who visit its web-site from the EU countries and analyse their behaviour.
Examples of monitoring behaviour of people include, inter alia, behavioural advertisement, geo-localization, online tracking through cookies and other tracking techniques, health analytics online services, etc. As far as the EU is the largest trading partner of Switzerland, there are a lot of Swiss companies, which meet any of the abovementioned “targeting criteria”, and therefore, should comply with requirements of the GDPR.
GDPR as the strictest privacy and security law in the world
A number of countries have their own data protection legislation, for instance, Federal Act on Data Protection in Switzerland, the Data Protection Act in the United Kingdom, Law on Personal Data Protection in Ukraine, etc. However, the European General Data Protection Regulation (GDPR) is considered to be the strictest privacy and security law in the whole world. Non-compliance with the GDPR may entail a number of negative consequences, inter alia, imposition of a fine for the total of up to 20 million EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (depending on the severity and circumstances of the GDPR violation). Thus, the total worldwide annual turnover of a group of companies can be used in order to calculate a fine for the GDPR violation of one of its companies. Except for the fine, a company which has violated GDPR may also face:
a demand to pay compensation to a data subject (i.e. a person whose personal data was processed) for the material or non-material damage caused as a result of the GDPR violation,
reputational losses,
ban on data processing etc. Moreover, quite often contracts require compliance with applicable law (in general) or data protection regulations (in particular). In such a case, violation of the GDPR can be also considered as breach of the contract and entail contractual penalties, premature termination of the contract, claims of a counterparty to compensate damages, etc.
As a rule, the GDPR is enforced not only due to inspections which are carried out by the European data protection authorities, but also due to proactive position of the civil society, for instance, due to complaints filed to the authorities by customers (including potential ones), unsatisfied employees or associations, as well as due to messages in the mass media (e.g. publications of investigative journalists) etc. Thus, there is quite a high level of likelihood that any violation of GDPR may be revealed sooner or later.
Besides, the EU has a number of tools to enforce the GDPR in the territory of non-EU countries, inter alia mutual legal assistance treaties with different countries, etc.
Our recommendations
We would recommend companies, including those which are based in non-EU countries:
conducting an audit of the company’s business processes in order to identify whether the personal data which is processed by such company, as well as its processing activities are covered by the extraterritorial reach of the GDPR;
if yes, – ensuring compliance with the GDPR, inter alia, developing all necessary documents and procedures.