Data processors with no presence in the EU are exempt from the GDPR — in some cases. But they can easily get tripped up in others, judging by a guidance issued by the EU late last year and highlighted this week by JD Supra.
The language in the document would not be easy to parse for an IT manager running an email processing operation. Short of hiring a lawyer, the person would have to grasp the nuances of whether the firm has a “stable arrangement” in the EU (meaning that it is governed by the GDPR), and whether it is targeting EU citizens and residents (ditto).
Here are 15 tests to determine whether the GDPR applies to you (minus the legal analysis).
1. A U.S. car manufacturer has an office in Brussels to oversee its marketing and other operations in Europe. This is considered a “stable arrangement,” and the firm is subject to the GDPR.
2. A Chinese-owned ecommerce site opens an office in Berlin to direct campaigns in EU markets. It, too, must comply with the GDPR.
3. A South African-owned hotel and resort chain offers package deals in the English, French and Spanish languages, but does not have a “stable arrangement” in the EU, so it is not subject to the GDPR.
4. A French company is offering a car-sharing application to customers in Morocco, Algeria and Tunisia. The service is only available in those countries, but data processing is conducted in France. The company is a data controller within the EU and must follow the GDPR.
5. A pharmaceutical firm headquartered in Stockholm conducts all data-processing activities related to its clinical trial data in Singapore. This processing is done in the context of its activities in Stockholm, so the firm is deemed a data controller in the EU and must obey the GDPR.
6. A Finnish research institute conducts research on Russia’s Sami people, using a processor in Canada. While the GDPR does not apply to the Canadian provider, the Finnish controller is required by the GDPR to only use processors that prove sufficient guarantees.
7. A Spanish firm processes customer data for a Mexican retailer that exclusively serves the Mexican market. But the processor is based in Europe and must heed the GDPR.
8. A U.S. start-up provides a city-mapping app for tourists. It offers services to individuals in the EU, and will face GDPR penalties if fails to live up to its standards.
9. A U.S. citizen traveling in Europe downloads a news app offered by a U.S. company. The app is offered only in the U.S. market, so the collection so processing of the person’s data is not covered by the GDPR.
10. A Taiwan bank has customers who reside in the country but hold German citizenship. The bank operates only in Taiwan and is not active in the EU market. Processing of data on the German customers is free of the GDPR.
11. The Canadian immigration authority processes the personal data of EU citizens when they enter the country. This processing does not fall under the GDPR.
12. A Turkish website creates and prints family personalized photo albums. The website is available in four European languages, and the albums can be shipped to six EU member states. The Turkish firm is ruled by the GDPR, and it must appoint an EU representative.
13. A Swiss university provides an online platform where candidates for its Masters program can upload their credentials. They are required to speak German and English. There is no advertising directed at these applicants, so the processing is not subject to GDPR. However, the school also offers summer courses, and the related processing does fall under the GDPR.
14. A U.S. marketing company advises a French shopping center on retail layout, based on WiFi tracking and analysis of consumer movements in the store. The U.S. firm is monitoring behavior, so the GDPR prevails in this case. Moreover, the firm will have to designate a representative in the EU.
15. A German ship sailing in international waters processes guest data so it can offer tailored in-cruise entertainment. The fact that it is a German-registered vessel means it is governed by the GDPR.
Here is one last point: The GDPR protects data not only on EU citizens but on anyone who happens to live there.