4

So I have an app that processes the PII of users and their interests, the app is south Asia based. The app doesn't support EU customers and is geo-blocked by default.

I would like to process and store this information in the EU region due to "reasons" (personal interests). I would like to know if this also comes under GDPR, though we don't do business in the EU region and is it legal to do it?

I have gone through various documents to get information on this, what I understood is GDPR comes to place when it comes to data of EU customers or businesses operating in the EU, but not clarity when businesses outside the EU store data in the EU of customers abroad.

Improve this question

2 Answers 2

Reset to default
1

Whether the GDPR applies depends solely on the location and actions/intentions of the data controller.

  • Art 3(1) GDPR: Do the processing activities occur in the context of an EU/UK establishment of the data controller? If so, GDPR applies.

    Technically, GDPR also applies if the processing activities occur in the context of a data processor, but see the discussion below.

  • Art 3(2) GDPR: Is the data controller outside of the EU/UK, but does any of the following?

    • targeting criterion: offering goods or services to people who are in the EU/UK
    • monitoring behaviour of people, as far as the behaviour occurs in the EU/UK

    If so, GDPR applies.

  • Otherwise, save for some edge cases, GDPR does not apply.

So the data controller must be somehow participating in the EU/UK market for GDPR to apply.

The data controller is whoever determines the purposes and means of processing. You determine for what purposes and how personal data of users of your app is processed, so you are the data controller. You do not have an EU/UK establishment and you aren't marketing your services towards people in the EU, so there is no way that you would have to comply with the GDPR.

In some cases, you might be sharing personal data with third parties.

  • Those third parties might be data controllers of their own, who are then responsible for their own compliance.
  • Alternatively, those third parties might have “data processor” status, which means they are contractually bound to only use the data as instructed by you. For example, a hosting provider typically acts as a processor, not as a controller.

Now when you engage a processor who is established in the EU/UK, they do have to comply with GDPR. But processors have different responsibilities from controllers. A processor's main responsibility is to comply with your instructions. You don't have to comply with GDPR just because you're using an EU/UK-based processor. Engaging an EU/UK-based processor does not constitute an establishment of yours that would bring the processing directly in scope of the GDPR.

If you want detailed discussions of these matters, please read the EDPB guidelines 3/2018 on the territorial scope of the GDPR. The EDPB is the EU's coordinator for GDPR supervisory authorities, so their guidelines are quite authoritative (but don't have the status of case law). They discuss your scenario in section 1(d)(ii), starting on page 11 of the English version. To excerpt relevant aspects of their guidance:

Processing in the context of the activities of an establishment of a processor in the Union

Whilst case law provides us with a clear understanding of the effect of processing being carried out in the context of the activities of an EU establishment of the controller, the effect of processing being carried out in the context of the activities of an EU establishment of a processor is less clear. […]

Assuming the controller is not considered to be processing in the context of its own establishment in the Union, that controller will not be subject to GDPR controller obligations by virtue of Article 3(1) […]. Unless other factors are at play, the processor’s EU establishment will not be considered to be an establishment in respect of the controller. […] That is to say, a “non-EU” controller (as described above) will not become subject to the GDPR simply because it chooses to use a processor in the Union. […]

Example 7: A Mexican retail company enters into a contract with a processor established in Spain for the processing of personal data relating to the Mexican company’s clients. The Mexican company offers and directs its services exclusively to the Mexican market and its processing concerns exclusively data subjects located outside the Union.

In this case, the Mexican retail company does not target persons on the territory of the Union through the offering of goods or services, nor it does monitor the behaviour of person on the territory of the Union. The processing by the data controller, established outside the Union, is therefore not subject to the GDPR as per Article 3(2).

The provisions of the GDPR do not apply to the data controller by virtue of Art 3(1) as it is not processing personal data in the context of the activities of an establishment in the Union. The data processor is established in Spain and therefore its processing will fall within the scope of the GDPR by virtue of Art 3(1). The processor will be required to comply with the processor obligations imposed by the regulation for any processing carried out in the context of its activities.

The guidance then goes on to list which GDPR obligations the EU/UK processor still has. In particular, they need a contract pursuant to Art 28 GDPR that cements their privileged processor status, and they are required to only use the personal data as instructed by you. Indeed, many EU/UK based service providers will refuse to provide services unless you enter into such an agreement. Sometimes, the necessary agreements are part of their normal terms of service.

Improve this answer
0

The GDPR Might Well Apply

The GDPR applies when a Data Controller (usually the provider of the service) is located in the EU or when the service is "targeted" at the EU or any part of it by the Data Controller (DC), and any person whose personal information (PI) is processed by the DC. (Note: "Process" includes simply storing the information.)

More specifically GDPR Article 3 paragraph 2 reads:

(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(2) (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(2) (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

GDPR Recital 23 reads:

In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

This means that when a non-EU DC provides goods or services to people in the EU, and also advertises in the EU, uses the language of an EU country that is not the/a language of the country where the DC is located, accepts payments in euros or a currency of an EU country, or other evidence shows an intent by the DC to offer goods or services to people in the EU (or part of it), then the DC may be taken to have intended to offer goods or services to people in the EU, and the GDPR will apply.

In the case described in the question, it is said that:

The app doesn't support EU customers and is geo-blocked by default.

This would be good evidence that the DC is not targeting the EU, and so the GDPR does not apply. Information (PI) about people in the EU who nonetheless manage to use the service would appear not to be covered by the GDPR when the app collects and stores it.

However, if such PI is transferred into the EU, then the person or firm that controls it might be considered a separate DC that is "established in the Union", or if the DC who controls the in-EU storage is clearly the same as the DC who originally did the out-of-EU collection, then that DC might be considered to have acquired an "establishment" in the EU. If so, any processing done by that establishment would be subject to the GDPR.

GDPR Recital reads:

Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Thus it would seem that transferring the PI of people located in the EU (or who were so located when the data was collected) into the EU might well subject that PI (and the relevant DC) to the GDPR. If so, a notice to the Data Subjects (people whose information is so processed) might well be required, and the DC would need a lawful basis for processing under GDPR Article 6

I do not find specific EU caselaw on this point.

Note that Under GDPR article 2 paragraph 2:

This Regulation does not apply to the processing of personal data: ...

(b) by a natural person in the course of a purely personal or household activity;

However, it is not at all clear from the question that the data storage and other processing intended would constitute "purely personal or household activity". In fact I rather doubt that it would.

Note that the UK version of the GDPR now has essentially identical provisions with regard to the UK, as the EU version does with regard to the EU.

Improve this answer
3
  • I think your answer is correct in concluding that the targeting criterion is not fulfilled, but incorrect in assuming that using an EU-based processor could constitute an EU establishment of the controller. Please see my answer for discussion of this point, in particular the quoted EDPB guidelines. The term “establishment” is a technical term in EU law and has relevant caselaw that the EDBP discusses in another part of their guidelines. At first approximation, establishment means a subsidiary or branch office of the controller's legal entity, but a processor isn't the controller's subsidiary.
    – amon
    Commented Jul 22, 2021 at 19:41
  • @amon, Yes but recital 22 reads: "Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation," If storage is in the EU via and EU p[processor, wouldn't that trigger the GDPR?
    – David Siegel
    Commented Dec 19, 2021 at 23:26
  • As discussed in my answer, the processor's establishment is not an establishment of the controller. Of course, the EU-based processor does have to comply with the GDPR. But this is a fairly limited obligation that can be summed up as “only use the data as instructed by the controller”. Practical problems could arise about the need to sign an Art 28 data processing agreement (even though the controller isn't subject to GDPR), and rules about international transfers (but the new, modular SCCs help with processor→controller transfer situations).
    – amon
    Commented Dec 23, 2021 at 17:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .