Disclaimer: I’m a Software Engineer who has spent a bunch of time working on issues relating to the GDPR from a systems design/security/process point of view. I’m definitely not a lawyer so this is my perspective and not legal advice. If you want legal advice, get a lawyer.
Question: How does the GDPR cover my data processing of EU resident personal data if I’m not an EU organisation?
The General Data Protection Regulation (GDPR) protects the personal data of EU residents who are in the EU. This regulation comes into effect 25th May 2018 (see Article 51/Paragraph 4) and has been designed to bring personal data protection up to date as the previous directive (Directive 95/46/EC) was adopted in 1995 and had fallen well behind in being able to cover modern day data protection issues.
The GDPR unambiguously covers all processing of personal data of “data subjects” (defined as natural persons) who are EU residents by organisations and people who are in the EU. However the regulation also protects EU residents when using non-EU services in certain cases.
For service providers outside the EU this means:
- Processing personal data of “data subjectsâ€/“natural persons†who are outside of the EU is not covered by the GDPR. For example EU residents on a trip entering details to a database of visitors including personal data is not covered by the GDPR as they were not in the EU at the time the data was gathered.
- Processing personal data of “data subjects†who are in the EU when they are using the service (where the processor is not in the EU) is covered if the service is specifically targeted towards EU residents (not just that the service happened to be used by an EU resident ) but also if the service monitors personal data (on an ongoing basis) if an EU resident. This includes data like location, device IDs and IP addresses so unless this data is not stored in the first place the GDPR may apply.
- Critically Recital (24) refers to “potential subsequent use of personal data†so it’s not enough that the IP addresses are not used now, if they are stored then they potentially may be used later.
- Once the GDPR applies normal provisions apply – so for instance storing and processing IP addresses for the purposes of security monitoring is clearly allowed (Recital (49) covers “ensuring network and information securityâ€) but the data is still personal data and so required adequate protection (Recital (83), Article (32)).
Extracts from the GDPR
The following extracts from the GDPR cover the issues discussed above – I have used bold text to highlight specific parts.
Recital (23)
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Recital (24)
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Article 3. Territorial scope
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Article 4. Definitions
For the purposes of this Regulation:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;