Page 62 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 62

in an EU country. According to Article 3, you will be affected if you are a data controller or data processor
            and any of the following apply:


            you are established in the EU (or somewhere else subject to EU law), or

            you offer goods or services to data subjects in the EU, or

            you monitor the behavior of data subjects in the EU.



            Establishment in the European Union

            If you are established in the EU, then all processing related to that establishment is covered, even if it
            takes place elsewhere.

            Being established is a broad concept in EU law. It could apply to you if you have (for example) a branch,
            representative, address or bank account in an EU country. For more context, see the recent Weltimmo
            case in the European Court of Justice — particularly paragraphs 29 to 33 - regarding the outgoing Data
            Protection Directive.



            Goods and Services

            If you control or process data relating to people in the EU, in the context of offering them goods and
            services, then this will be covered by GDPR. This is true even if the goods and services are free.

            Note the word offering: it appears that this will only apply where there is some element of targeting your
            goods at EU countries. Targeting is likely to include providing a version of your website in a local language
            (which is not your own country’s language), allowing purchases in the local currency, or mentioning EU
            customers or countries on the website. It is possible that merely delivering to EU countries will be enough
            to count.

            Note that the key question is whether your customers (or members, or employees) are in the EU, not
            whether they are EU citizens. You don’t for example need to worry about the nationality of customers
            based in the U.S.



            Monitoring Behavior

            If you control or process data relating to people in the EU, in the context of monitoring their behavior,
            then this will be covered by GDPR.


            A lot of monitoring is done in tandem with the offering and sale of goods and services (see above), such
            as online vendors using patterns in consumer purchases to offer similar products, or games developers
            collecting data on player activity. However, monitoring also covers a wider range of activities, including
            market research and getting feedback. The vast majority of online organizations (commercial or non-
            commercial) monitor the behavior of visitors to their websites to some extent.





                                 62
   57   58   59   60   61   62   63   64   65   66   67