You are here

GDPR outside of the EU/UK

Simon Hinks explains what businesses beyond Europe need to be doing in regards to the General Data Protection Regulation

Over the past couple of weeks, I’ve discovered that many businesses outside of Europe have very little knowledge of the impact of GDPR on their global markets. So, I thought this week we look at what those businesses abroad should be doing if they are selling products and services to EU citizens and companies.

Processing in the context of the activities of a European establishment

GDPR makes it clear that the processing of personal data in the context of the activities of an establishment in the EU will be caught by the law regardless of whether the processing takes place inside or outside the EU.  This will impact corporate groups that have operations in both Europe and outside of Europe. The data subjects do not need to be resident in the EU for this provision to apply.

Offering goods or services to EU-based data subjects

By way of example, a Dubai hotel operator promoting offers to European businesses and taking bookings in Euros via its website would almost certainly be deemed to be offering its products to EU data subjects.  The GDPR would apply to its processing of personal data (including names, addresses and payment details) of European visitors.

Monitoring the behaviour of EU-based data subjects

A wide range of automated analytical techniques may therefore be caught within the ambit of "monitoring" for these purposes. This includes the use of cookies, logging IP addresses or obtaining location data via a mobile app.  Retailers outside of Europe – such as airlines, hotels and others in the hospitality industry – should be particularly aware that the use of such online marketing or monitoring practices may create an additional burden if they are being used to profile European customers.

Appointment of a representative

Any business outside the EU must appoint a representative in the EU for the purposes of the GDPR. Such a representative should act on behalf of the non-EU entity and may be addressed by any European supervisory authority. 

The representative must be located in one of the European countries of the individuals who are offered products or subject to behavioural monitoring.

Next steps for organisations outside of Europe

All organisations outside of Europe with any connection to Europe – whether through customers, affiliates or business partners – should be considering the potential impact of the GDPR.  Other businesses outside of Europe could adopt a level of self-regulation where customer demand or organisational requirements mean that the GDPR is adopted as the de facto standard for data processing around the world.

GDPR for B2B marketers:
Everything you need to know and do

Knowing what the GDPR demands are is one thing. But knowing what to do next is crucial. Download our free 40 page, detailed and practical guide for B2B marketers to find out.

Download the free guide

Getting to grips with the GDPR: A B2B marketer’s guide image