Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationData protectionLatest NewsGlobal HR

How does the GDPR apply to businesses outside the EU?

by Alice O'Donovan 20 Aug 2018
by Alice O'Donovan 20 Aug 2018 A US business with customers in the EU could fall under GDPR regulations
Anthony Behar/Sipa USA/REX/Shutterstock
A US business with customers in the EU could fall under GDPR regulations
Anthony Behar/Sipa USA/REX/Shutterstock

Organisations are still getting to grips with their obligations under the new General Data Protection Regulation. But if you operate outside the EU, that does not mean you’re exempt from the new legislation, as Alice O’Donovan from McGuireWoods explains.

GDPR

GDPR: Which policies and documents have been updated?

Register of HR-related personal data (compliant with the GDPR)

The new General Data Protection Regulation, or GDPR, has been designed to protect personal data in the face of increasing globalisation and rapid technological advances. As a result, its applicability is not just confined to businesses in the EU: it can apply to any organisation, anywhere in the world, in any sector.

The GDPR applies to organisations that have EU establishments, where personal data is processed in the context of the activities of such an establishment.

But it also applies to organisations outside the EU − even if they have no physical presence in the EU − if they process personal data in the course of:

  • offering goods or services to people (referred to as “data subjects” in the GDPR) in the EU; and/or
  • monitoring the behaviour of data subjects as far as their behaviour takes place in the EU.

What does offering goods or services mean?

The key question is whether the organisation “envisages” offering goods or services to data subjects in the EU.

Simply having a website that is accessible from the EU is insufficient to bring a business within scope. If, however, the website is available in European languages, offers prices in European currencies, and delivers products to the EU, the business will be within scope.

It does not matter whether the data subject needs to pay for the goods or services. Even if the goods or services are offered for free, the organisation will still be caught.

Monitoring behaviour

Your organisation might use online data processing techniques to make decisions about customers and to analyse/predict their personal preferences.

There are many technologies available for this: for example, the use of cookies. Their use can lead to organisations being caught by the GDPR.

Cookies that do not collect personal data or profile users, such as cookies used solely for website functionality, are unlikely to be caught by GDPR.

If, however, an organisation uses cookies to profile individuals in the EU by tracking online activity across websites, it is likely to be processing personal data to monitor behaviour.

In addition, websites that use tracking cookies or applications to track usage could be caught by the GDPR if the information they collect, taken together, renders an individual within the EU identifiable. (Note that the individual need only be identifiable, not necessarily identified.)

There are many other technologies that enable individuals to be tracked or monitored, such as recording and sharing of IP addresses, and apps that gather data about the user.

Non-EU businesses should therefore carefully evaluate the online tracking technologies they use in order to determine whether they fall within scope of the GDPR.

Why does it matter?

Failing to comply with the GDPR may result in a maximum fine of €20m or 4% of global turnover, whichever is higher. In addition, individuals have the right to bring claims for redress where they have suffered damage due to a breach of the GDPR.

Non-EU businesses should give careful consideration to whether they may be caught by the GDPR. If you think your business might be within scope, you should seek advice and take immediate steps towards compliance – or take steps to place your business outside scope (for example, blocking your website to individuals in the EU).

There are question marks over how, in practice, EU regulators will enforce fines against organisations outside the EU.

Nevertheless, non-EU organisations should not underestimate the EU’s determination to protect its citizens’ personal data. Moreover, irrespective of the risk of enforcement action, non-compliance could result in unwelcome reputational damage.

Does the GDPR apply?

A US retail business has a large store in Manhattan. It does not have any physical presence outside the US. Its website is accessible from the EU, but it does not deliver its products to the EU, its website prices are shown only in US dollars and the website is available only in English. However, EU tourists regularly visit the store and make purchases.

No. There is no indication that this business “envisages” offering its goods to data subjects in the EU. EU citizens may visit the store when in New York, but the GDPR only applies insofar as goods or services are offered to data subjects who are in the EU.

A hotel located in Los Angeles. Its website is accessible from the EU but its prices are shown only in US dollars and its website is available only in English. However, the hotel has a contract with a travel agent to sell rooms in the hotel to individuals in the EU. Bookings are made via the travel agent, who then passes the individuals’ personal data to the hotel.

Yes. Guests may make their bookings through an intermediary, but the hotel clearly still “envisages” that data subjects in the EU will uses its services – it has contracted with the travel agent for that reason.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

A US-based charity has a website available in English, French, Spanish, and German. It sends free literature to people who get in touch via its website, including people in the EU.

Yes. The charity clearly envisages offering services to individuals in the EU – it is irrelevant that their service is free.

Alice O'Donovan

Alice O'Donovan is a litigation lawyer and GDPR expert at McGuireWoods

previous post
Swedish woman compensated after job interview handshake refusal
next post
Five lesser known maternity rights women must be aware of

You may also like

Restaurant tips should be included in holiday pay

21 May 2025

Fewer workers would comply with a return-to-office mandate

21 May 2025

Redefining leadership: From competence to inclusion

21 May 2025

Pay awards in real terms could fall for...

21 May 2025

Ryanair demands flight attendants pay back salary increase

21 May 2025

Consultation launched after Supreme Court ‘sex’ ruling

20 May 2025

Uncertainty over law hampering legal use of medical...

20 May 2025

Black security manager awarded £360k after decade of...

20 May 2025

Employers ‘worryingly’ ignorant about stress risk assessments

20 May 2025

UK and EU agree to collaborate on ‘youth...

19 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+