Does the EU General Data Protection Regulation (GDPR) apply to me?

The European Data Protection Board (EDPB) published for public comment its much awaited guidelines on the extraterritorial effect of GDPR.

Some highlights include:

  • In some circumstances, the presence of one employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement for the purpose of GDPR scope if that employee or agent acts with a sufficient degree of stability.
  • A non-EU controller will not become subject to the GDPR simply because it chooses to use a processor in the Union.
  • A processor subject to GDPR is required to enter into an agreement containing the key requirements of Art 28 GDPR with its controller who is not subject to GDPR.
  • GDPR applies to people physically located in the Union at the time of the processing regardless of their citizenship or residence.
  • For Non-EU entities, intention to establish commercial relations with consumers in the Union must be manifested. Non-exhaustive factors include taking EU currency, using EU languages or an EU top level domain.
  • Monitoring behavior can be done on the internet or through wearable or smart devices. At issue will be the purpose for processing and any subsequent behavioral analysis or profiling. 

Read the full text of the guidelines.