TERRITORIAL SCOPE OF GDPR

30 July 2018

Territorial Scope of GDPR

A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

Article 3 covers Territorial Scope and is qualified by Recital 14 which states: “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”

Article 3 goes on to state that "This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law."

Therefore, Article 3 would suggest that it does fall in scope of GDPR. When some sites are in EU and EU visitors may access any of the sites, they should be assumed to be in scope. A key question when deciding scope for GDPR and global web sites is whether the sites encourage EU visitors, by offering European languages, Euro payments, etc. If not, then it is arguably not within scope.

A common misconception remains that GDPR is about EU citizens. It is not. For example, an EU citizen travelling to New York has no protections of their personal data from GDPR while they are in the USA. GDPR only affects natural persons in the geographic scope of the EU and EEA, including US tourists, visitors, asylum-seekers etc. GDPR is not concerned with EU citizens and in fact the word "citizen(s)" does not even appear in the regulation. It does, however, continually refer to "data subjects IN the Union" and makes it very clear that the determination is by location, not by citizenship.

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070