EU’s General Data Protection Regulation (GDPR) comes into force on May 25th. As many EU-based personal data handlers countdown the days until GDPR becomes effective hoping for the best, a burning question for non-EU personal data handlers remains – ‘Does GDPR apply to my business or not’? The stakes are pretty high, bearing in mind the draconian punishments GDPR prescribes for the breach of its provisions. That is why figuring out its extraterritorial application is crucial for non-EU entities.

Where is GDPR applicable?

1) on personal data controllers/processors established in EU, regardless of whether the processing takes place in the EU or not (territorial application);

2) on personal data controllers/processors not established in the EU, when processing the EU citizens’ personal data, as long as the processing activates relate to either

1. a) offering of goods or services, irrespective of whether a payment of the data subject is required;
2. b) monitoring behavior of EU citizens, as far as their behavior takes place within the EU (extraterritorial application).

The latter can cause a lot of confusion when it comes to its practical application.

What does the extraterritorial application of GDPR actually mean in practice and how can one easily ascertain whether it is subject to the data protection Act?

According to Article 29 Working Party GDPR General Information Document, in order for GDPR to be applicable to a non-EU entity, it is necessary for such entity to target EU citizens in a way that it offers them goods and services proactively, i.e. to monitor EU citizens’ behavior taking place in EU and making decisions based on such monitoring results.

As an example, if a Serbian company owns a website written in the German language on which:

• It offers goods with the possibility to order them using the German language
• Offers options of payment in EUR,
• Accepts the offers from EU citizens and
• Delivers the goods to them,

then, it is safe to conclude that such Serbian company targets Germans/Austrians, i.e. EU citizens, therefore, such company is subject to GDPR.

In order to consider a non-EU entity to be offering goods and services to EU citizens, it should be obvious that such entity targets the EU citizens in order to offer them goods and services. When it comes to monitoring of EU citizens’ behavior as the other case of extraterritorial application, monitoring of their behavior happening in EU needs to exist, meaning, a non-EU data handler needs to perform tracking and profiling of EU citizen, online, (example: usage of web cookies and similar), so it can predict their behavior and make decisions based on such monitoring.

Therefore, it can be argued that simply processing EU citizens’ personal data without the elements of offering goods/services, targeting and monitoring, does not qualify a non-EU entity as a subject to GDPR, especially given that it is safe to assume that a vast number of non-EU entities may have EU citizen’s personal data in their databases for many other reasons.

Regardless of whether a Serbian company qualifies as a GDPR subject, it is hard to imagine any negative effects a company may have if it becomes GDPR-compliant, even it doesn’t have to. For example, a company can be considered a more desirable partner if it is GDPR –compliant, and for Serbian entities, GDPR compliance process pretty much means being compliant with the new Serbian Data Protection Act, which draft greatly relies on GDPR and is expected to come into force in the near future.

Note: This blog post does not represent official legal advice given by SOG or its affiliates – it is a form of commentary regarding the GDPR interpretation of Article 29 Working Group.

For more legal information on applications of GDPR for your business, feel free to contact:

Miloš Velimirović, Partner
milos.velimirovic@sog.rs