GDPR Outside The EU – Are You Ready for May 25th?

May 03, 2018

GDPR Outside The EU – Are You Ready for May 25th?

May 03, 2018

Miloš Velimirović

Miloš Velimirović

Partner

Dunja Tašić

Dunja Tašić

Senior Associate

EU’s General Data Protection Regulation (GDPR) comes into force on May 25th. As many EU-based personal data handlers countdown the days until GDPR becomes effective hoping for the best, a burning question for non-EU personal data handlers remains – ‘Does GDPR apply to my business or not’? The stakes are pretty high, bearing in mind the draconian punishments GDPR prescribes for the breach of its provisions. That is why figuring out its extraterritorial application is crucial for non-EU entities.

Where is GDPR applicable?

1) on personal data controllers/processors established in EU, regardless of whether the processing takes place in the EU or not (territorial application);

2) on personal data controllers/processors not established in the EU, when processing the EU citizens’ personal data, as long as the processing activates relate to either

  1. a) offering of goods or services, irrespective of whether a payment of the data subject is required;
  2. b) monitoring behavior of EU citizens, as far as their behavior takes place within the EU (extraterritorial application).

The latter can cause a lot of confusion when it comes to its practical application.

What does the extraterritorial application of GDPR actually mean in practice and how can one easily ascertain whether it is subject to the data protection Act?

According to Article 29 Working Party GDPR General Information Document, in order for GDPR to be applicable to a non-EU entity, it is necessary for such entity to target EU citizens in a way that it offers them goods and services proactively, i.e. to monitor EU citizens’ behavior taking place in EU and making decisions based on such monitoring results.

As an example, if a Serbian company owns a website written in the German language on which:

  • It offers goods with the possibility to order them using the German language
  • Offers options of payment in EUR,
  • Accepts the offers from EU citizens and
  • Delivers the goods to them,

then, it is safe to conclude that such Serbian company targets Germans/Austrians, i.e. EU citizens, therefore, such company is subject to GDPR.

In order to consider a non-EU entity to be offering goods and services to EU citizens, it should be obvious that such entity targets the EU citizens in order to offer them goods and services. When it comes to monitoring of EU citizens’ behavior as the other case of extraterritorial application, monitoring of their behavior happening in EU needs to exist, meaning, a non-EU data handler needs to perform tracking and profiling of EU citizen, online, (example: usage of web cookies and similar), so it can predict their behavior and make decisions based on such monitoring.

Therefore, it can be argued that simply processing EU citizens’ personal data without the elements of offering goods/services, targeting and monitoring, does not qualify a non-EU entity as a subject to GDPR, especially given that it is safe to assume that a vast number of non-EU entities may have EU citizen’s personal data in their databases for many other reasons.

Regardless of whether a Serbian company qualifies as a GDPR subject, it is hard to imagine any negative effects a company may have if it becomes GDPR-compliant, even it doesn’t have to. For example, a company can be considered a more desirable partner if it is GDPR –compliant, and for Serbian entities, GDPR compliance process pretty much means being compliant with the new Serbian Data Protection Act, which draft greatly relies on GDPR and is expected to come into force in the near future.

Note: This blog post does not represent official legal advice given by SOG or its affiliates – it is a form of commentary regarding the GDPR interpretation of Article 29 Working Group.

For more legal information on applications of GDPR for your business, feel free to contact:

Miloš Velimirović, Partner
milos.velimirovic@sog.rs

 

OTHER NEWS

The New Serbian Legal Framework for Internships to Be Adopted

The New Serbian Legal Framework for Internships to Be Adopted

 At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...

read more
NFTs in the Light of Trademark Law

NFTs in the Light of Trademark Law

 Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...

read more
What Is a Data Protection Officer (DPO)?

What Is a Data Protection Officer (DPO)?

 Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...

read more

Let's connect

Let us know how we can help you and your business.