Does the EU General Data Protection Regulation (GDPR) apply to my brand? This is a question with which many U.S.-based franchisors have been grappling since the GDPR took effect on May 25th, 2018. Six months later, the European Data Protection Board (EDPB) has issued, for public comment, guidelines on the territorial scope of GDPR.
Below is a breakdown of the major questions and takeaways for US-based franchisors:
Do you have an ‘establishment in the Union’?
- You could be deemed to have an establishment in the Union (and subject to GDPR) even if you do not have a branch, subsidiary, or franchisee in an EU member state.
- Any real and effective activity, even a minimal one, could satisfy the notion of establishment for the purpose of Article 3(1) jurisdiction; even, in some cases, the presence of a single employee.
- However, just having a website accessible from Europe is not enough.
(If you have an EU establishment) Is your data processing carried out ‘in the context of its activities’?
- GDPR will apply to your data processing if there is an inextricable link between the activities of an EU establishment and the processing of data carried out by you (a non-EU entity).
- As non-EU controller, you will not become subject to GDPR simply because you chose to use a processor (a service provider carrying out the data controller’s instructions) in the Union.
- If you are a controller subject to GDPR and you choose to use a processor located outside the Union and not subject to the GDPR, you will need to ensure by contract that the processor processes your data in accordance with the GDPR.
If you do not have an establishment in the EU ̶ do you offer products or services to individuals in the EU? (Article 3(2))?
- “In the EU” means physically located in the EU at the time of the offering of goods or services (or the monitoring of behavior; see below). It does not mean citizenship or residence.
- Does the processing relate to (1) the offering of goods or services or (2) to the monitoring of data subjects’ behavior in the Union?
(1) Do you offer Goods or Services?
- In order to fall in scope, you need to manifest your intention to establish commercial relations with consumers in the EU. For this, the EDPB uses the concept of “directing an activity” to the EU market, developed in case law by the Court of Justice of the EU (CJEU) with respect to jurisdictional matters. Payment for the services, however, is not required.
- Some non-exhaustive factors, taken possibly in combination with one another, include:
- mentioning dedicated addresses or phone numbers to be reached from an EU country
- marketing and advertisement campaigns directed at an EU country audience
- using an EU or member state top-level domain name
- mentioning customers domiciled in various EU member states, including client testimonials
- using an EU language or an EU currency
- offering the delivery of goods in EU member states.
(2) Do you monitor behavior of individuals in the EU?
- Monitoring can be done both on the internet and through other types of networks or technology involving personal data processing, for example through wearable and other smart devices.
- Monitoring activities include:
- geo-localization activities, in particular for marketing purpose
- personalized diet and health analytics services online
- market surveys and other behavioral studies based on individual profiles, including behavioral advertising
- monitoring or regular reporting on an individual’s health status
Do you need to appoint a representative in the Union?
If you are a non-EU controller or processor that is subject to GDPR, you are required to appoint a representative in the Union, unless an exception applies. Local representatives may be held liable for the non-EU entity’s breaches and may be subject to administrative fines and penalties.
If you are not a public authority, you are obligated to appoint a representative unless your processing is “occasional” and “does not include, on a large scale, processing of special categories of data….or processing of personal data relating to criminal convictions and offences…”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons.” The EDPB does not elaborate on these and refers to criteria listed in the WP29 guidance on DPOs for the definition of “large scale processing” (e.g. factors like the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity.
The appointed representative should be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
Odia Kagan is a Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, a full-service national law firm with 900+ attorneys in 27 offices coast-to-coast. Odia has assisted more than 80 companies, from U.S.-based multinationals to startups, on their path to compliance with the EU General Data Protection Regulation (GDPR).