Mon, Oct
58 New Articles

Extraterritorial Application of GDPR – Should You Be Ready for May 25?

Extraterritorial Application of GDPR – Should You Be Ready for May 25?


EU’s General Data Protection Regulative (GDPR) comes into force on May 25.

As many EU-based personal data handlers count down the days until GDPR becomes effective hoping for the best, a burning question for non-EU personal data handlers remains – ‘does GDPR apply to my business or not’?

The stakes are pretty high, bearing in mind the draconian punishments GDPR prescribes for the breach of its provisions. That is why figuring out its extraterritorial application is crucial for non-EU entities.

As per GDPR, it is applicable 1) on personal data controllers/processors established in EU, regardless of whether the processing takes place in the EU or not (territorial application); 2) on personal data controllers/processors not established in the EU when processing the EU citizens’ personal data, as long as the processing activates relate to either a) offering of goods or services, irrespective of whether a payment of the data subject is required; or b) monitoring behavior of EU citizens, as far as their behavior takes place within the EU (extraterritorial application).

The latter can cause a lot of confusion when it comes to its practical application. What does extraterritorial application of GDPR actually mean in practice and how can one easily ascertain whether it is subject to GDPR?

According to Article 29 Working Party’s GDPR General Information Document, in order for GDPR to be applicable to a non-EU entity, it is necessary for such entity to target EU citizens in a way that it offers them goods and services proactively, i.e. to monitor EU citizens’ behavior taking place in EU and making decisions based on such monitoring results.

For example, if a Serbian company owns a website on German language on which it offers goods with the possibility to order it using German language and pay in EUR, accepts the offers of EU citizen’s and deliver its goods to them, than it is safe to conclude that such Serbian company targets Germans/Austrians, i.e. EU citizens, therefore, such company is subject to GDPR.

In order to consider a non-EU entity to be offering goods and services to EU citizens, it should be obvious that such entity targets the EU citizens in order to offer them goods and services. When it comes to monitoring of EU citizens’ behavior as the other case of extraterritorial application, monitoring of their behavior happening in EU needs to exist, meaning, a non-EU data handler needs to perform tracking and profiling of EU citizen, online, for example, so it can predict their behavior and make decisions based on such monitoring.

Therefore, it can be argued that simply processing EU citizens’ personal data without the elements of offering goods/services, targeting and monitoring, does not qualify a non-EU entity as a subject to GDPR, especially given that it is safe to assume that a vast number of non-EU entities may have EU citizen’s personal data in their data bases for many other reasons.

Regardless of whether a Serbian company qualifies as a GDPR subject, it is hard to imagine any negative effects a company may have if it becomes GDPR-compliant, even it doesn’t have to. For example, a company can be considered a more desirable partner if it is GDPR –compliant, and for Serbian entities, GDPR compliance process pretty much means being compliant with the new Serbian Data Protection Act, which draft greatly relies on GDPR and is expected to come into force in near future.

By Milos Velimirovic, Partner, Dunja Tasic, Senior Associate, Samardzic, Oreski & Grbovic (SOG) 

Serbia Knowledge Partner

Who we are

Karanovic & Partners is a regional legal practice in Southeast Europe with tradition spanning two decades and cooperating offices in Serbia, Croatia, Slovenia, Montenegro, Macedonia and Bosnia & Herzegovina. With more than 100 attorneys at law cooperating across the region, we take pride in our work, dedication and understanding of our clients' industries and needs.

What we do

We work with some of the most respected and reputable businesses in the world, banks, as well as governments, state-owned entities, startups and NGOs. We see our clients as long-term partners.

We focus on straightforward solutions and tailor-made advice. Lawyers cooperating with us are fully immersed in our clients’ culture and industry to ensure that the work is delivered intelligently and reliably.

What sets us apart?

In our company culture, excellence is a must. We are reliable, adaptive and fast.

Karanovic & Partners operates under the “one team” principle, combining our regional reach and local know-how to deliver coordinated legal advice necessary for achieving our clients’ goals.

All News about, and Legal Analysis by, Karanovic & Partners can be found here.

Firm's website: https://www.karanovicpartners.com/


Our Latest Issue