Special Accounting Areas - Hire purchase agreement
The long arm of the gdpr
1. THE LONG ARM OF
THEGDPR
THE EXTRATERRITORIAL EFFECT
2. ARTICLE 3
TERRITORIAL
SCOPEOF
THEGDPR
– It applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the
EU, regardless of whether the processing takes place in the Union
or not.
– The GDPR applies to the processing of personal data of data
subjects who are in the EU by a controller or processor not
established in the EU, where the processing activities are related
to:
– the offering of goods or services, irrespective of whether a payment
of the data subject is required, to such data subjects in the EU; or
– the monitoring of their behaviour as far as their behaviour takes
place within the EU.
– The GDPR applies to the processing of personal data by a
controller not established in the EU, but in a place where a law of
a member state applies by virtue of public international law.
3. CRITERION 1:
OFFERINGOF
GOODSAND
SERVICES
– The mere accessibility of an establishment’s website in the EU is
an insufficient factor.
– The organization must ”envisage” that its activities will be directed
to data subjects in the EU.
– Factors to determine whether an organization offers goods and
services include:
– Use of a language or currency that is often used within one or more
member states of the EU;
– Possibility of ordering goods or services in the language of that
member state;
– The mention of customers or users within the EU.
4. CRITERION 1:
OFFERINGOF
GOODSAND
SERVICES
– An intention to target EU customers may be determined by
“patent evidence”, such as the payment of money to a search
engine to facilitate access by those within a country or where
targeted countries are designated by name.
– Certain other factors may evidence the above-mentioned
intention:
– The “international nature” of the relevant activity (for example:
certain tourist activities);
– Use of telephone numbers with an international code;
– Use of a top-level domain name other than that of the state in which
the trader is established (such as .de or .eu);
– Description of “itineraries…from countries to the place where the
service is provided”;
– Mentions of an “international clientele composed of customers
domiciled in various countries”.
5. CRITERION 2:
MONITORING
OF
BEHAVIOUR
– The following factors would help determine whether a processing
activity could be considered ”monitoring behavior” of data
subjects in the EU:
– Are they tracked on the internet?
– Are these persons profiled?
– Does the profiling result in decisions concerning the person?
– Does the profiling result in analyzing or predicting the person’s
personal preferences, behaviours, attitudes, etc.?
– Examples include:
– online behavioural advertising;
– travel data of individuals using a city’s public transport system (for
example: tracking via travel cards);
– profiling and scoring for the purposes of risk assessment (for
example: credit scoring, insurance premiums, fraud prevention,
detection of money-laundering);
– location tracking;
– monitoring of wellness, fitness and health data via wearable devices.
6. REPRESENTATIVES
– If an establishment offers goods or services to data subjects in the
EU or monitor the behaviours of such data subjects, they need to
appoint “representatives”.
– Representatives should be appointed by a written mandate.
– Representatives can be natural or legal persons.
– These representatives should be established in countries where
the data subjects are.
– They are available locally to data subjects and act as
intermediaries between them and the controller or processor
located overseas.
– There is an implication that representatives could be named as
parties in administrative actions or litigation.
7. EXCEPTIONS FOR
APPOINTINGA
REPRESENTATIVE
– If the processing is occasional;
– If it does not include processing, on a large scale, of special
categories of personal data or the processing of personal data
relating to criminal convictions and offences and if it is unlikely to
result in a risk to the rights and freedoms of natural persons,
taking into account the nature, context, scope and purposes of the
processing;
– If the controller is a public authority or body.