What is GDPR and does it concern you?

What is GDPR and does it concern you?

The General Data Protection Regulation (GDPR) came into force in May 2018, after a long process of harmonization and adoption of the final version of the text (2012-2016). Considering that the wording of GDPR is very broad and subject to different interpretations, the European Data Protection Board has published Guidelines to clarify, inter alia, in which cases the GDPR applies to companies headquartered outside the EU. The Guidelines clarify that the GDPR pertains to:

  • offering goods or services to persons physically located in the EU,
  • monitoring the behavior of persons in the EU, provided that their behavior takes place within the Union.

The European Data Protection Board dispels two common misconceptions:

– that the GDPR only applies to operators and processors established in the European Union,

– that the GDPR always applies to controllers or processors who process data of citizens of one of the Member States of the European Union.

The fact that a controller or processor based in Serbia processes data of citizens of the EU member states does not mean the automatic application of the GDPR.

For the General Regulation to apply to operators and processors based outside the EU, it does not matter whether if data processing refers to the data of data subjects who have citizenship or a permit for temporary or permanent residence in one of the Member States of the European Union. What is important is that the persons whose data is processed are physically in the European Union at the time when the goods are or services are offered or at the time their behavior is monitored, regardless of the duration of these actions and regardless of whether these persons paid for those goods or services.

In other words, the processing of data in order to offer goods or services, without the final purchase of these goods, or payment for these services, is sufficient for the application of rigorous sanctions prescribed by the GDPR.

On the other hand, the processing of personal data of persons located in the Union alone is not sufficient for the provisions of the GDPR to apply to processors or operators based outside the EU, but it is necessary that the purpose of this data processing is to offer goods or services to these persons or monitoring their behavior within the Union.

The European Data Protection Board has given instructions in its Guidelines that indicate that the data of these persons is processed precisely for these reasons and has established some criteria for controllers and processors – in case there are several of these, the GDPR applies.

Criteria applies for data processors and / or data controllers:

  • that are offering the delivery of goods to the EU
  • whose websites are available in the EU
  • that mention an EU Member State in the context of offering goods and services
  • who provide travel instructions (where are the good restaurants, shops for travelers) in the EU country (place where these services are provided)
  • who provide guidance on their website in a language used in the EU which is not used in the domicile country (e.g. instructions given in Serbian and English in Serbia)
  • when they allow paying for goods and services on their website in currencies used in the EU, which are not used in the domicile country (Serbian website that offers payment in both EUR and RSD)
  • when the offer available on the site mentions customers or users who are in the EU
  • whose advertisements are aimed at EU buyers
  • that offer tourist activities in EU
  • that mention on their website the addresses and phone numbers available in/for the EU
  • who use a domain that is different from the domain of the domicile state

On the other hand, the processing of personal data of EU citizens employed by a company in Serbia for the purpose of wage settlement is not considered data processing for the purpose of offering goods or services, and therefore the provisions of the GDPR do not apply to this company.

When it comes to processing for the purpose of monitoring behavior / persons within the EU, it is important to note that monitoring refers to monitoring persons via the Internet, i.e., their profiling in order to analyze or predict their personal preferences, behaviors and attitudes.

Accordingly, monitoring can be in a form of:

  • advertising based on the behavior of persons,
  • monitoring of the geo-location for marketing purposes,
  • online tracking through the use of cookies or through the fingerprint of the device
  • forming a personalized health analysis, or persons’ diet, via the Internet,
  • video surveillance via camera,
  • market research and other behavioral studies based on personal behavioral profiles.

Again, the criteria are observed together (in order to indicate that the target group is within the EU), not individually.

What is important for data controllers / processors in Serbia is to follow the procedures of the General Data Protection Regulation in order to avoid penalties, if they process data on persons who are physically in the EU, in order to offer goods or services, regardless of whether the person whose data are processed should pay for those goods or services, or monitor the conduct of these persons, provided that their conduct takes place within the Union.

According to GDPR, it is necessary to hire a person (natural or legal) who will act in your name and on your behalf as your representative in the European Union and enable you to comply with the provisions of the GDPR. His data must be available to the data subjects (e.g., they may be specified in the privacy policy), and the registered seat of the representative should be in the Member State where the data subjects are located.

Relevant examples are taken from the above-mentioned Guidelines 3/18 on the territorial scope of the GDPR (Article 3), for further clarification.

Page 15, Example No. 9, illustrates the application of the Regulation to all persons within the EU:

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome.

The US startup, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2 ).“

The European Data Protection Board also cites an example where a controller or processor based outside the European Union, is considered to process personal data of persons in the EU in order to monitor their behavior within the Union, in example no. 15, page 18:

A retail consultancy company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking. The analysis of a customers’ movements within the centre through Wi-Fi tracking will amount to the monitoring of individuals’ behaviour. In this case, the data subjects’ behaviour takes place in the Union since the shopping centre is located in France. The consultancy company, as a data controller, is therefore subject to the GDPR in respect of the processing of this data for this purpose as per its Article 3(2)(b).).

In accordance with Article 27, the data controller will have to designate a representative in the Union.

With all of the aforementioned, it is clear that, in the coming years, GDPR will bring many more cases in which the processing of personal data will require special attention in each specific instance.