In this two-part mini GDPR series, we'll discuss how non-EU companies are impacted by the regulation. We've taken into account based on geography, not just for the companies themselves, but also the ramifications for their businesses based on the places in which they carry out their business. Since we started our series on GDPR last month, we have received questions from readers seeking to clarify some of those international implications that GDPR raises.
Non-EU companies with EU customers
So let’s jump to our first hypothetical scenario: If you are a US-based company but selling to EU companies, obviously, you fall under GDPR. But what about if you are US company, not selling to EU, but collecting analytics data on EU located visitors?
It is true that non-EU companies process personal data according to their local data protection regulations. However, there are specific situations in which non-EU companies will have to comply with GDPR requirements. With the new requirement, teams have more pressure to ensure that their website is secure.
In the following paragraphs, we will go through the rules in GDPR, in particular, Article 3 of GDPR on the territorial scope, and explain.
1) This regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.
According to case law, the term “establishment” should be interpreted broadly and flexibly. An organization is established if it exercises any real and effective activity—even a minimal one—through stable arrangements in the EU.
For example, if a company has a legal representative in the EU with a contact address or a bank account for the purposes of providing the company’s services, the data processing associated with the activities of this entity is subject to the requirements of GDPR. Another example is sales offices in the EU that promote or sell advertising or marketing targeting EU residents.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
2) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union.
It must be apparent that the organization envisages that activities will be directed to EU data subjects. Examples: intentional use of an EU language/currency, ability to place orders in that language and references to EU users or customers, payment for marketing activities directed at EU users, EU phone numbers, EU top level domain names, etc.
3) The monitoring of data subjects' behavior as far as their behavior takes place within the European Union
In particular in online business, if you are monitoring the behavior of users that takes place within the EU, you have to comply with the requirements of GDPR. This affects the use of different types of web analytics tools, as well as tracking for personalization purposes. It applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not.
On the other hand, the rule is also often interpreted in the way that the monitoring of EU citizens that are, at the moment of the website visit, located outside of the EU—this is not subject to GDPR.
4) If you have a contract with a client from within the EU or a client applying GDPR.
This situation is for non-EU companies doing work for EU clients that includes personal data (email marketing, web analytics, data storage, etc.).
In this situation, you are in the position of a data processor and the client is a data controller. This means your relationship should be governed by the data processing contract under Article 28 of the GDPR and you are allowed to do only what is in the contract and must implement all measures stated there.
The data controller must comply with GDPR, therefore, the contract would require you to use such methods/measures that are in accordance with GDPR. Therefore, indirectly, you need to be able to comply with GDPR.
To be more specific, the contract between you and your EU client should stipulate, among other things, that the processor:
- Processes the personal data only on documented instructions from the controller
- Takes all measures for data security purposes
- Taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR
- Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the processor
Ensure GDPR compliance, wherever you are
In conclusion, every non-EU client will have to evaluate the specific details of their data processing activities and decide on the necessary steps to take to make sure the website follows regulations. Checking to make sure your CMS has up-to-date security measures, compliance tools, and data protection features is a crucial step in maintaining GDPR compliance and safeguarding user data.
Kentico supports GDPR compliance with built-in consent management, data protection tools, and SOC 2 Type II certification, helping businesses safeguard user data and meet evolving regulatory requirements—making it easy to navigate security and regulation changes no matter your company's location.
Learn more about how Kentico can help you navigate security and prevent data breaches.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.