The European Union (EU) General Data Protection Regulation (GDPR) does not only apply to businesses in the EU. Businesses from all over the world and especially from the United Kingdom (UK) may fall within its scope when processing personal data coming from the EU. Our article will assist in the determination of whether your business is subject to the GDPR.
Before Brexit, the UK was still part of the EU and therefore also subject to European laws, including the EU General Data Protection Regulation (GDPR). With Brexit on 30 January 2020 and the expiry of the transition period on 30 June 2021, the UK left the EU and, with some exceptions, was no longer obliged to implement and comply with the laws under the EU agreements. However, some laws continue to apply as retained EU law in the UK.
The GDPR, on the other hand, was amended as the UK GDPR and adapted in a few places to the circumstances of the UK. Accordingly, initially little has changed for UK companies or businesses offering services in the UK with regard to data protection. However, the so-called Retained EU Law (Revocation and Reform) Bill states that until the end of 2023 most of the laws, some exceptions will remain part of UK law, will no longer apply due to so-called sunset provisions. This also includes the current implementation of data protection laws.
Therefore, UK companies should already make clear now whether they will have to continue to comply with the requirements of the GDPR in the EU after the expiry of this deadline in order to avoid fines and to maintain the protection of the data subjects. Numerous obligations must be complied with in this regard. Among these obligations are the obligation to keep records of processing activities, designate an EU representative pursuant to Art. 27 GDPR and grant data subject access to their data.
The European Data Protection Board (EDPB) clarified the scope of the GDPR for EU and non-EU businesses in its Guidelines 03/2018 on the territorial scope of the GDPR. The Guidelines also provide additional details regarding the role of the EU representative.
When do the GDPR provisions apply to UK businesses?
The applicability of the GDPR to a UK organisation is determined by the so-called ‘targeting’ criterion. It examines the processing of personal data of data subjects in the EU, and whether the processing activities are related to the following:
- offering them goods or services (these may be free of charge), or
- monitoring their behaviour within the EU.
The EDPB decided to elaborate on these criterions in order to dispel some of the most common doubts:
Data subjects in the European Union
The GDPR applies to processing the data of individuals who are physically in the EU. This is not limited to EU citizenship, residence or other legal status. Generally, the status of being in the EU should be assessed at the moment when goods or services are offered, or when the behaviour is being monitored.
For instance, a UK based company provides a geo-catching application especially for tourists visiting Berlin, Paris and Rome. Such an app would be regarded as offering services to individuals in the EU because it will be used by data subjects who are physically in the EU at the time.
Offering of goods or services to data subjects in the EU
Another element is the assessment of whether the controller’s or processor’s conduct demonstrates its intention to ‘offer goods or services’ (to the individuals in the EU). This concept has been already addressed by EU law and case law and includes the provision of information society services. Payment for such goods or services is not a condition that triggers the applicability of the GDPR. In addition to the examples provided in Recital 23 of the GDPR, the EDPB states that the following circumstances should also be taken into consideration:
- The EU or at least one EU Member State is named with reference to the good or service offered.
- The data controller or processor pays a search engine operator for a web-referencing service, in order to facilitate access to its website for consumers in the EU.
- The controller or processor has launched marketing and advertisement campaigns directed at an EU Member State audience.
- The activity is international in nature, e.g., certain tourist offers.
- Dedicated addresses or phone numbers for an EU Member State are mentioned.
- A top-level domain name is used that is different than that of the third country in which the controller or processor is established, for example ‘.de’, ‘.fr’ or neutral top-level domain names such as ‘.eu’.
- Travel instructions from one or more EU Member States to the place of service provision are given.
- International clientele consisting of customers located in various EU Member States are mentioned, in particular displaying written accounts from such customers.
- A language or currency is used that is not generally used in the service provider’s country, especially a language or currency of one or more EU Member States.
- The data controller offers the delivery of goods in the EU.
A single point from the list above may not necessarily be a sufficient indication of the intention to establish a commercial relationship. However, if several of these benchmarks apply to the (planned) processing, it should be analysed further on a case-by-case basis to what extent there is an economic relationship that makes the GDPR applicable.
Monitoring of data subjects’ behaviour
Monitoring the behaviour of individuals in the EU falls under the scope of the GDPR, if such monitoring relates to a data subject in the EU.
Although ‘monitoring’ implies that a controller has a specific purpose for collecting and using the behavioural data, the EDPB does not automatically regard online data collection or analysis as monitoring. An assessment of the controller’s purpose, a subsequent behavioural analysis and profiling techniques determine whether or not ‘monitoring’ has occurred.
Examples of monitoring are behavioural advertisement, geo-localization activities, online tracking through cookies or other tracking techniques, personalised diet and health analytics services online, CCTV, market surveys and regular reporting on an individual’s health.
When does the GDPR not apply?
Mere data processing of individuals in the EU will not suffice to impose GDPR obligations. There must also be an element of ‘targeting’. For example, it will not apply to an UK citizen who downloads an app during his holidays in Italy (provided that the app is only for the UK market).
Since GDPR application is also not based upon EU citizenship, targeting EU citizens in a non-EU country is excluded from its scope. The EDPB gives the example of a Taiwanese bank with customers who are German citizens and Taiwanese residents. Since the bank is active solely in Taiwan and its activities are not geared toward the European market, the bank is not subject to the provisions of the GDPR with respect to these activities.
The GDPR also does not apply where a non-EU company processes data solely for HR purposes (e.g., HR management or salary payment). This is because the respective HR processing does not occur in the context of offering goods or services.
Online collection or analysis of the personal data of individuals in the EU is also not automatically considered monitoring. It will always be necessary to consider the processing purpose, profiling techniques and any subsequent analysis.
Additional regulations for non-EU businesses
The one-stop-shop mechanism allows companies in the EU to work primarily with one supervisory authority from the same country in which the main establishment of that company is based. The draft Guidelines clearly state that non-EU controllers and processors cannot benefit from the one-stop-shop mechanism.
Compliance with the domestic provisions of EU Member States
UK Companies also must keep in mind that, in addition to the GDPR, they are also often obliged to comply with the national data protection laws of particular EU Member States. Most differences in domestic legislation pertain to the following areas:
- children’s age for valid consent ( 8),
- special categories of data ( 9),
- restrictions of the data subjects’ rights ( 23),
- freedom of expression and information,
- public access to official documents,
- national identification number,
- employment context,
- processing for archiving purposes in the public interest,
- scientific or historical research or statistical purposes,
- churches and religious affiliation.
Designation of an EU Representative
Private entities subject to Art. 3(2) GDPR must designate an EU representative, unless exempted by the following circumstances: the processing is occasional, does not include sensitive data on a large scale and is unlikely to result in an infringement of the rights and freedoms of individuals.
Unfortunately, the EDPB did not attempt to clarify WP29’s interpretation of ‘occasional’ as meaning ‘not carried out regularly and occurring outside the regular course of business or activity’. Thus, the majority of businesses will continue to be subject to this obligation.
Steps to take by UK businesses
The EDPB guideline provides helpful advice and an interpretation of Art. 3 GDPR. UK businesses should consider those criteria when they plan to process, or already process, personal data of data subjects in the EU. UK businesses must establish whether they need to comply with the regulations of the GDPR or not.
If you are a UK business, you should first map your processing activities of personal data and then check the criteria listed above on a case-by-case, i.e., per processing activity, to find out if you fulfil the ‘targeting’ criterion. You should also take steps now to ensure that even after the UK GDPR expires, you still meet the requirements to continue to comply with the GDPR in the EU if the scope is open for you.
In this analysis, it is important to consider the GDPR’s definition of processing. Art. 4 No. 2 GDPR includes, in addition to the ‘typical’ processing operations of collecting, recording, modifying and altering, also processing operations such as organising, storing or erasing. If such processing operations also target persons in the EU, even a mere storage of data may require compliance with the GDPR and possibly the appointment of an EU representative.