Yes, because the GDPR expressly applies to businesses throughout the world in specific instances. If a business controls or processes personal data but has no EU presence of its own, it will be within the GDPR’s scope if it does either or both of the following – (1) if it offers goods or services to people within the EU or (2) if it monitors their EU behavior. Here’s the specific wording of GDPR Article 3:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processing not established in the Union, where the processing activities are related to:
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
This language limits the extraterritorial reach of the GDPR but leaves a lot of questions. Does a website that does not specifically aim at EU consumers qualify as offering goods or services? What does it mean to “monitor … behaviour”?
How does a non-EU business know if it must comply with the GDPR? And what specific things are required if the answer is yes? This podcast explores these questions, detailing the specific activities that require a non-EU business to comply with this EU regulation.
Merely having a globally visible website is not enough. But what then requires compliance with GDPR? Tune into this podcast for an exploration of the GDPR’s reach beyond EU borders. Consider how a data inventory and data map are first steps to determine how a non-EU business can deal with the GDPR and comply with its requirements.
For more information, please contact Joe Dehner or any other attorney in Frost Brown Todd’s Privacy and Information Security Law Industry Group.