EU GDPR : Selling goods and services in the EU
EU GDPR : Selling goods and services in the EU
Does the EU GDPR still apply if you are selling goods and services in the EU?
Application of the EU GDPR and UK GDPR
On 1 January 2021, the end of the Brexit transition period, the UK GDPR came into force and the EU GDPR ceased to be part of UK law. By now, organisations established in the UK should be familiar with their data protection obligations under the UK GDPR; however, the scope of the EU GDPR extends beyond the borders of the EU, and its extra-territorial provisions may still be significant for organisations established outside of the EU that sell to customers within the EU.
If a UK-based organisation is caught by the extra-territorial scope of the EU GDPR then it will be subject to both sets of regulations. Although much of the EU GDPR was mirrored within the UK GDPR, there are some important differences that organisations need to be aware of.
Extra-territorial scope of the EU GDPR
EU GDPR still applies where businesses process information about “data subjects in the Union” and such processing is related to the “offering of goods or services to such data subjects in the Union”, irrespective of whether the individuals are required to pay.
The European Data Protection Board (“EDPB”) has issued guidance with respect to determining whether the processing relates to (i) data subjects in the Union; and (ii) the offering of goods or services to data subjects in the Union.
(i) Data subjects in the Union : Whether the processing relates to “data subjects who are in the Union” is assessed by reference to the moment when the relevant trigger activity takes place, i.e. the moment of offering the goods or services. This criterion is not limited by citizenship or residence, it merely considers whether they are located within the Union at the time a transaction takes place.
(ii) The offering of goods or services to data subjects in the Union : Determining whether the processing relates to “data subjects who are in the Union” is relatively simple. The next step is to determine whether the processing relates to the offering of goods or services to data subjects in the Union. This will only be the case where there has been some “targeting” of such data subjects.
In order for EU GDPR to apply, there must be a demonstrated intention by the organisation to offer the goods or services to a data subject located in the Union, i.e. whether it is apparent that they envisage offering the goods or services to those data subjects.
The Court of Justice of the EU has held that in order to determine whether an organisation is ‘directing’ activity to the Union they must have manifested an intention to establish commercial relations with such consumers. Accordingly, some factors to consider are:
- The EU or at least one Member State is designated by name with reference to the good or service offered.
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience.
- The international nature of the activity at issue, such as certain tourist activities.
- The mention of dedicated addresses or phone numbers to be reached from an EU country.
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”.
- The description of travel instructions from one or more other EU Member States to the place where the service is provided.
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers.
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; and
- The data controller offers the delivery of goods in EU Member States, (“CJEU Factors”).
The EDPB Guidance makes clear that several of the elements listed above, if taken alone, may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union; however, they should each be taken into account in any overall analysis in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered an offer of goods or services directed at data subjects in the Union.
Our website can be accessed by users in the EU, does that mean the EU GDPR applies?
Organisations should consider whether they have directed their goods or services towards data subjects in the EU, particularly in light of the CJEU Factors above. A holistic analysis should be taken to determine whether you are caught by the extra-territorial provisions.
It should however be underlined that the mere accessibility of a controller’s, processor’s or an intermediary’s website in the Union is insufficient to ascertain an intention to offer goods or services to data subjects in the Union. This is established within the EU GDPR itself by its recitals and cemented by the guidance given by the EDPB. Where the goods or services are inadvertently or incidentally provided to a person in the territory of the Union, the related processing of personal data does not fall within the extra-territorial scope of the EU GDPR.
If the EU GDPR applies to organisations not established in the EU, what do they need to do?
Although much of the EU GDPR was mirrored within the UK GDPR, there are some important differences that organisations need to be aware of to ensure compliance with the EU GDPR. Two such differences are in respect of international transfers and the requirement to appoint a representative in the EU.
As UK and EU data protection legislation diverges, one crucial aspect to be alert to is the different requirements in respect of international transfers of personal data to third countries. This may, for example, be due to differing adequacy statuses of the third country recipients or the form of acceptable data protection safeguards and risk assessments required on such transfers.
In addition, the EU GDPR requires companies to appoint a representative in the EU if they are based outside of the EU and are caught by its extra-territorial provisions. This is known as an “Article 27” representative. The representative must be based in one of the Member States where the data subjects are located and must act as a point of contact for the data protection authorities in the EU. There are many organisations that can offer this as a service for a fee.
If you would like to discuss this blog or any other commercial contract query, please contact a member of the Commercial team and we will be delighted to assist you.
Please visit the Commercial Services area of our website to see all the services we provide in this area.