When is a company subject to the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation on personal data protection. One should bear in mind, however, that the GDPR contains quite broad provisions on its extraterritorial applicability. Therefore, even if the company does not have a presence in the EU or EEA, it can still fall within the scope of the GDPRThe GDPR applies not only to EU states. It is also applicable to some member-states of the European Free Trade Association (Norway, Iceland and Liechtenstein). From here onwards, for simplicity, we will use the term “EU” when also referring to EFTA states., especially when many companies look for ways to diversify their business and operate through Dubai, the CIS and the Middle East. In addition, when acquiring a foreign company, one should thoroughly screen such company for the applicability of the GDPR to it, since the fine for a breach of the GDPR can be calculated based on the entire group’s revenue. Below we will look at common cases where the GDPR can apply to your business.

Extraterritorial scope of GDPR

Article 3 sets out two principal criteria of the applicability of the GDPR: the company has an established presence in the EU (the “establishment” criterion) or the company may not have an establishment in the EU, but targets the EU (the “targeting” criterion):

• Article 3(1) states that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU (regardless of whether the processing takes place in the EU or not). In other words, if you have a company in the EU, it will be subject to the GDPR.

It should be noted that the term “establishment” is very broadly interpreted by European law enforcers. The GDPR itself says that an establishment should in the first place mean the real and effective exercise of economic activities.

Having a legally formal establishment (a branch or subsidiary) is not a determining factor in that respect. For example, the presence of a representative or a bank account in a certain country may, in certain circumstances, qualify as an establishmentCJEU Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] Case C-230/14, 1 October 2015. In practice, even minimal, but stable economic activities (even the presence of a single employee or representative) would suffice to create an establishmentPage 6 of EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

• Article 3(2) of the GDPR stipulates that the GDPR is also applicable to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects in EU, or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR implies that the offering of goods or services must be targeted at the data subjects in the EU. The practice also confirms this thesis showing, for example, that just a translation of the website into one of the EU languages would not mean that the activities are targeted at the data subjects in the EU. It is necessary to analyse the entire set of factors such as whether there is a website in the domain zone of an EU state, a telephone line or a representative in the EU, whether goods can be delivered to the EU, whether one can pay for promotional services of operators of search engines in the EU, etc. However, the mere fact that one is required to pay for the services or goods is of no relevance for determining whether the GDPR applies or not.

Even though the collection of personal data on the Internet and the analysis of such data does not constitute in itself “monitoring” for GDPR purposes, we recommend that you be very cautious about situations where personal data is collected online. Where market research takes place, where there is personal data profiling, where users’ behavioural patterns are monitored, where data is collected through cookies and advertising is targeted at the data subjects who are in the EU and so forth, there is a need for analysing whether all these activities fall within the scope of the GDPR.

Case studies

Let’s look at some of the cases where the GDPR applies:

• A subsidiary in Kazakhstan, being a company of a Russian group, is considering the opportunity of entering the EU market. For this purpose, the company is carrying out market research into EU users’ preferences while also launching an advertising campaign using targeted advertising. In this case, the GDPR will apply since the company in Kazakhstan collects data of European users and its activity is targeted at EU users;
• A Russian company acquired a company in Dubai which has been historically delivering goods to users in the EU. In this case, the GDPR will apply to the company from Dubai as it delivered goods to users in the EU, such deliveries were systematic and the company’s operations target persons in the EU. In addition, if it is planned that that in the future data will be transferred to Russia or access to such data will be provided from Russia, it is necessary to ensure compliance with the GDPR on the part of the Russian company during such transfer or access.
• A company engaged in the development of mobile games distributes its games in various countries, including the EU. The games of the company are available in mobile app stores of the relevant countries. In this case, it is most likely that the GDPR will apply to the company’s activities as in the given case the “targeting” criterion will be met. In addition, mobile games usually imply in-game purchases and collection of extensive analytics on the app use;
• A company in Russia processes personal data of EU nationals in connection with the provision of offline services when they are in Russia. Generally, the GDPR does not apply to the activities of such company as the “targeting” and “establishment” criteria are not met in the given case and the company processes personal data of only such EU data subjects who are not in the EU.

Consequences of the GDPR rollout

The application of the GDPR entails a series of consequences:

• the obligation to comply with the GDPR provisions, which involves, among other things, appointing a representative in the EU (in certain cases), fine-tuning business processes, applying appropriate security measures, training employees, etc;
• the breach of the GDPR may result in turnover based fines of up to EUR 10 million or 2% of the annual revenue for the previous year (whichever is bigger) and for serious breaches the fine will be of up to EUR 20 million or 4% of the annual revenue for the previous year (whichever is bigger);
• in addition, the GDPR implies the prohibition or suspension of personal data processing, which in fact may mean a prohibition on doing business in the EU;
• complications when working with major counterparties as a GDPR compliance audit for vendors is common practice.

It is important to note that when acquiring a company that must comply with the GDPR, you should conduct a thorough post-acquisition GDPR compliance audit in respect of such company and look after compliance with the GDPR inside the group because the fine for a breach of the GDPR can be calculatedItem 128, Guidelines 04/2022 on the calculation of administrative fines under the GDPR based on the revenue of the entire group, including Russian revenue.

Should you have any questions on the applicability of the GDPR to your business or on the implementation of GDPR requirements, we will be pleased to help.