This page provides a guideline for EU GDPR applicability outside Europe to help organisations in other countries make a decision as to whether they will be liable for EU GDPR compliance or not.
Key Criteria for EU GDPR applicability outside Europe
The key criteria for deciding whether an organisation will be liable for EU GDPR compliance are defined in Article 3, Territorial Scope. These are:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
EU GDPR applicability outside Europe
The applicability of the above for organisations outside the Europe can be interpreted as:
In view of the above, the organisation will, therefore, only be liable for compliance if they intentionally offer a product or service to EU residents while they are data subjects are in the EU. For exmple, the intention to offer services e.g. sales or rentals of properties in Africa, or tourist packages to lodges, hotels, etc in Africa to EU residents would be demonstrated if the organisation advertised sales/rentals or tourist packges either directly or via an agent in Europe.
It should also be noted that the EU GDPR only includes living individuals and excludes juristic persons (legal entities) which are covered by the South African Protection of Personal Information Act.
Disclaimer: This document does not constitute legal advice but rather serves as a guideline for making an appropriate decision.
Please contact us for more information about the applicabily of EU GDPR in your country.