Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 51

1.3.3.2 Targeting criterion

Оглавление

The absence of an establishment in the Union does not necessarily imply that a controller or processor established in a non-EEA country is excluded from the scope of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

GDPR Article 3(2)

The GDPR applies to processing related to trade (“the offering of goods or services”) and “monitoring of behavior” of persons who are in the European Union. But not in all cases. The company must have a clear intention to offer their products or service to individuals within the EU. The fact alone that the website is available in one or more European languages is not sufficient.

This has far-reaching consequences:

Example: A large Canadian online book store has websites in English, French, German and Spanish. The company advertises in European countries, offering 24/7 telephone customer services in those languages and customers can use a national phone number in a number of EU countries to contact the sales department.

An Argentinean citizen who happens to be visiting Paris (France) orders some books. Though the customer is not an EU resident and the company is not European, the processing needed for the transaction and delivery would be subject to the GDPR. The Canadian store should, being a controller according to the GDPR, have appointed a representative in the EU.

Example: A large Canadian online book store has websites in English, French and Spanish. The company advertises mainly in North and South America. An Argentinean citizen who is a regular customer and happens to be visiting Paris (France) orders some books. Processing in connection to this purchase would not be subject to the GDPR.

The fact that the books must be delivered in France is not enough to conclude that the company intends to do business in Europe. And indeed, if the Argentinean citizen orders e-books only, the Canadian online book store would not even know where the actual delivery takes place.

Note that the GDPR relates to “data subjects who are in the Union”. Often in literature you find this reformulated to “residents of the EEA”, which is incorrect. “Resident” implies that you live somewhere on a long-term basis.

As in the first case of the Argentinian citizen visiting Paris, the fact that the website targets the EU-market and that the Argentinian citizen is within the borders of the EEA are enough. You do not have to be a European resident to have your personal data protected by the GDPR.

__________________________________________________

1 Formally the “Treaty on the Establishment of the European Economic Community”.

2 Treaty on the Functioning of the European Union (TFEU), see Sub-section 1.1.1.

3 See the principle of proportionality explained in Sub-section 1.2.5.

4 TFEU Article 288, second paragraph.

5 TFEU Article 288, third paragraph.

6 TFEU Article 288, fourth paragraph.

7 TFEU Article 288, fifth paragraph.

8 TFEU Article 126, seventh paragraph.

9 Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

10 Proposal for Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

11 GDPR Article 2(2)(d)

12 Where the GDPR refers to “Member States”, the Member States of the EEA are meant. This was confirmed in The DECISION of the EEA Joint Committee No 154/2018 of 6 July 2018.

13 Judgment of the Court of 6 November 2003 in CASE C-101/01 (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62001CJ0101&from=EN)

14 As confirmed in Decision of the EEA Joint Committee No 154/2018 of 6 July 2018.

Privacy and Data Protection based on the GDPR

Подняться наверх