Following our recent webinar, Marketing for Consent: How to Make GDPR Compliance Work for You, one of the participants posted the following question:
“The webinar says that GDPR applies to location not citizenship. I’ve read otherwise. Can you clarify?”
The application of the GDPR is not based on citizenship — the very notion of businesses accessing the data that would be required to verify citizenship was too thorny for the fine folks of the EU Parliament to even consider.
But at the same time, to flatly say it’s just about location is an oversimplification.
And by the way, this is us making our best guess at interpreting the provisions of the GDPR and should in no way be construed as legal advice. When in doubt, seek legal counsel. Or do what we do — err on the side of compliance.
The relevant sections of the GDPR are quoted at the bottom of this post, if you’d like to see them, but basically, all transactions involving EU citizens who are located within the EU, doing business with companies also based in the EU, fall under the GDPR.
The confusion about citizenship vs. location arises when we talk about non-EU citizens located in the EU or EU citizens located outside the EU, and whether the product or service is being delivered within the EU or beyond its borders. Sorting out all the permutations can get a bit tricky.
Below are some examples that demonstrate the less-than-straightforward distinctions between citizenship and location.
The GDPR Does Apply:
- A US citizen on vacation in France orders dinner online from a Paris restaurant, for delivery to their hotel a few blocks away.
- Because the ‘data subject’ is in the EU, providing personal data for a product/service also delivered in the EU, the data subject’s citizenship is irrelevant. The GDPR applies.
- A US citizen living in France logs onto the website of a furniture store in the US and orders a bookcase, providing their EU address for delivery.
- Also a data subject located in the EU ordering a product/service for delivery in the EU, but in this case, not only is the data subject’s citizenship irrelevant, so, too, is the furniture store’s location. The GDPR applies.
- A French citizen living in Rome visits the website of a software company in the US and downloads a free ebook, providing their name, email address, and EU telephone number in the required form.
- Again, a data subject located in the EU is providing data to order a product/service for delivery in the EU. The fact that it’s a digital product that’s free of charge, and the fact that the software company is located in the US, are irrelevant. The GDPR applies.
The GDPR Does Not Apply:
- A French citizen living in Chicago orders something from Amazon.com for delivery to their US address.
- This transaction involves a product/service delivered in the US, beyond the jurisdiction of the GDPR. The data subject’s citizenship is irrelevant. The GDPR does not apply.
- While that same French citizen is visiting family in Paris, they place another order via Amazon.com, for delivery to their home address in the US.
- Another transaction involving a product/service delivered in the US, but in this case, both the citizenship of the data subject and their location are irrelevant. The GDPR does not apply.
As you can see, it’s complicated.
But Should You Care?
Doesn’t it make more sense to establish compliance for everyone, rather than try to figure out all the nuances of who is located where and what their citizenship is and where their product or service is being delivered?
We think so. We also believe your customers, wherever in the world they might be, will appreciate your willingness to safeguard their data to the GDPR’s standards, even when you might be under no obligation to do so.
That’s just good business.
The Legalese from the GDPR:
Article 3 (1) states:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the
processing takes place in the Union or not.”
Article 3 (2) states:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Recital 14 states:
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
Additional Information: GDPR: Who Must Comply