Key Criteria for EU GDPR applicability outside Europe

This page provides a  guideline for EU GDPR applicability outside Europe to help organisations in other countries make a decision as to whether they will be liable for EU GDPR compliance or not.

The key criteria for deciding whether an organisation will be liable for EU GDPR compliance are defined in Article 3, Territorial Scope. These are:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)   the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)   the monitoring of their behaviour as far as their behaviour takes place within the Union.

  1. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

EU GDPR applicability outside Europe

The applicability of the above for organisations outside the Europe can be interpreted as:

Point 2 states that the regulation can potentially affect any organisation anywhere in the world but it will only apply if point 2 (a) and/or (b) are carried out.  The test for point (a) is if there is an intention to offer a product or service to data subjects resident in the EU. Activities relating to point (b) would typically be monitoring data subjects’ visits to the organisation’s website offering products or services through the use of cookies or similar technologies.

In view of the above, the organisation will, therefore, only be liable for compliance if they intentionally offer a product or service to EU residents while they are data subjects are in the EU.   For exmple, the intention to offer services e.g. sales or rentals of residential units in Africa to EU residents would be demonstrated if the organisation advertised sales or rentals either directly or via an agent in Europe.

It should also be noted that the EU GDPR only includes living individuals and excludes juristic persons (legal entities) which are covered by the South African Protection of Personal Information Act.

Disclaimer: This document does not constitute legal advice but rather serves as a guideline for making an appropriate decision.

Please contact us for more information about the applicability of EU GDPR in your country.