“Ok, ok, enough about the GDPR laws already!
I don’t even live in Europe, so who cares?”
If this is how you have been thinking about the GDPR laws and regulations that went into effect on May 25, 2018, you could still be at risk…$20M worth of risk.
And, no one can afford that kind of mistake.
You are probably wondering: “Do the GDPR laws apply to ME?”
Like everything else about the GDPR laws, the answer is not very clear. We explained basics of the GDPR laws in a previous post. Let’s take a closer look at how these regulations from the EU affect you and your business if you are not located in the EU.
As far as your location and territorial jurisdiction, GDPR laws apply in a few ways:
- You are established in the EU and conducting data processing in the context of that business’ activities.
- You are offering goods or services, for free or for a fee, to individuals in the EU.
- You are monitoring the behavior of individuals within the EU.
In a nutshell, no matter where you are, if you do international business with ANYONE in the EU, you should pay attention to the GDPR laws.
Article 3(1) states that if you have some sort of “establishment” in the EU that handles personal data, you will be governed by GDPR laws. This gets confusing because GDPR does not exactly define what an “establishment” means to them. However, Recital 22 explains by stating that an establishment “implies the effective and real exercise of activity through stable arrangements.”
If your organization has a sales office located in the EU, promotes, sells, or markets to EU residents, and there is an “inextricable link” between the establishment and the processing activities, GPDR laws apply. This could mean a single representative of your company working physically from the EU, but not a single server.
Now, what if you don’t live in the EU or have anyone working for you there?
Article 3(2) contains an extraterritorial or “long-arm” provision that includes the processing of personal data of people who are in the EU by a non-EU organization if the processing involves:
- the offering of goods or services, regardless of whether a payment of the data subject is required, to people who live in the EU; or
- the monitoring of their behavior as far as their behavior takes place in the EU.
To take it one step further, GDPR laws apply to you if you are even thinking about offering goods and services to people in the EU. If your website is accessible to people in the EU, and there are any indications (such as testimonials) that you plan to or would like to do business in the future with people in the EU, you will be under GDPR scrutiny.
You are monitoring behavior if “natural persons are tracked on the internet including the potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”
In simple terms, this means that you are monitoring behavior if you are using behaviorally targeted advertising for marketing purposes. If you are profiling people to evaluate behavior, whether automated or not, GDPR applies.
One last thing: if you offer services B2B only, you don’t get off the hook.
Organizations offering goods and services to businesses rather than individuals are not exempt if they are processing any personal data of people who live in the EU.
It’s pretty obvious that if you live in the EU, you must comply with the GDPR laws. But, as we have tried to make clear above, you may be under the jurisdiction of the GDPR if your website is accessible to folks in Europe.
No matter where you live, you must first comply with the laws of your own country. Do some research of your own and ask questions. You do not want to find out the hard way that you should have taken steps to comply with GDPR laws.
As a disclaimer, neither JVZoo nor any employee or representative of the Company is an expert on GDPR regulations. For the most accurate info on details of the laws, contact an attorney who is familiar with the GDPR, or visit: