When the European Union’s (EU) General Data Protection Regulation (GDPR) was initially effective in 2018, many companies were confused at whether they were directly subject to the GDPR or not. Back then, companies tended to be more focused on not being subject to the extraterritoriality of the GDPR. Now, with the advent of the new Transfer SCCs, those who are processors are perhaps more focused on being directly subject to the GDPR as it would preclude using the new SCCs.
Please also see these FAQS on SCCs.
How to determine if Article 3(2) of the GDPR applies to you
To determine this, look at the language of Article 3(2) itself:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Key concepts to consider:
- Not established in the Union. So you must be located outside the European Economic Area, which comprises the 27 member states (not the UK) plus Iceland, Liechtenstein, and Norway.
- This provision applies to the processing activities, not to the company. So if you are subject to the GDPR for a processing activity, your other processing activities may not be subject to GDPR. You need to assess each processing activity.
- Directly and indirectly. If the processing activity is offering goods or services in the EEA or is related to monitoring the behavior of individuals in the EEA, then the GDPR applies directly to that activity.
Note that the GDPR specifies offering goods and services to “data subjects” not to companies. There is some debate around business-to-business activities, but the authorities have not clarified whether data subjects within organizations are or are not included in this definition. At this time, we approach this from a conservative viewpoint that B2B activities are not excluded.
If you are still unsure, let’s first turn to some guidance from the European Data Protection Board from 2018 when companies were initially debating whether the GDPR applies to them. The EDPB provided key guidance that applies to the current anlysis, such as the “targeting” criterion.
- For the activity in question, are you targeting your goods and services to the EEA?
The EDPB clarifies that [p]rocessing activities which are “related” to the activity which triggered application of Article 3(2) also fall within the territorial scope of the GDPR. . . .[T]here needs to be a connection between the processing activity and the offering of good or service, but both direct and indirect connections are relevant and to be taken into account.”
You may be able to determine whether or not you are “targeting” the EEA by examining key aspects of your activity:
- Do you use any languages in the EEA, such as French or Italian, in the activity to facilitate purchases or usability?
- Do you convert purchase amounts to any currency in the EEA?
- Do you reference the EU or one of the countries by name with reference to the good or service?
- Do you pay for any search engine optimization for the EEA?
- Have you launched marketing and advertising campaigns directed at an EU country audience?
- Is the nature of your offer international, such as certain tourist activities?
- Do you list any EEA contact information for assistance or sales?
- Do you use a top-level domain name in the EEA, for example “.de”, or the use of neutral top-level domain names such as “.eu”?
- Do you provide travel instructions from one or more other EEA countries to the place where the service is provided?
- Do you mention international clientele composed of customers domiciled in various EEA countries, in particular customer testimonies?
- Do you offer the delivery of goods in EU Member States?
Any of these could indicate that you are targeting the EEA for your goods and services.
If you do target the EEA, or monitor behavior of individuals in the EEA – such as by cookies & trackers – you also need to know what to do now. TrustArc has provided some wonderful resources on this, listed below.
What are the next steps if your processing activity is directly subject to the GDPR?
This means that you do not need to use the new Transfer SCCs, but you not only have to comply with the GDPR, you need to demonstrate compliance. Here is a short list of the documentation you need.
- Demonstration that you are directly subject to GDPR via the processing activities in consideration.
- Individual assessment of your goods and services on an activity level (per good or service) with your controllers and / or processors to identify which relationships are impacted.
- Review the Transfer SCCs to see what you may need to put in place with your controllers or processors.
- Assessment of third countries (non-EEA countries) for government surveillance activities.
- Identify risks associated with processing activities, especially sharing of data to processors across borders.
- Supplemental measures to mitigate the risks identified, including with third countries and processors.
- Demonstration that you comply with the GDPR, such as through GDPR Validation or the EU Cloud Code of Conduct.
What are the next steps if you need to transition to the new Transfer SCCs?
Whether you need to transition to new Transfer SCCs for your controllers or processors or you are not directly subject to the GDPR with your processing activities, you need to:
- Review the new Transfer SCCs;
- Identify which module applies to your circumstances; and
- Start the transition process.
- You can still negotiate new contracts with the old SCCs through September 27, 2021.
- After September 27, you can only negotiate with the new Transfer SCCs.
- Old SCCs are still valid in current contracts through December 27, 2022.
- After December 27, 2022, only new Transfer SCCs are valid and only where they are valid. So if the GDPR applies directly to a processing activity, you not only cannot use the new Transfer SCCs, they will not be valid.
In addition, you need to do the same documentation as listed above – review your own controller and processors to identify where the new Transfer SCCs can be used, assess each transaction individually, assess each third country you transfer data to, and assess your risks, mitigate them, and publish supplemental measures. These will be attached to the new Transfer SCCs as annexes.
If you are still wondering what your next steps are, or how to assess third countries, do not worry – TrustArc has you covered. Please contact us if you have any questions.