If you haven't read our introductory article on whether the GDPR applies to your Australian business, that's a good place to start for an overview: take a look over here.
In our last article, we said that if a business has an "establishment" in the European Economic Area (EEA) and processes personal data in the context of its activities, then the GDPR might apply. An example of an establishment is having an office, branch or subsidiary in the EEA.
In the Q&A below, we further explore what it means to have an "establishment" in the EEA, according to the GDPR.
(Note that this is not the only situation where the GDPR might apply - it's just the focus of this article.)
Q: My business is not registered in the EEA, so do I need to worry about GDPR?
A: Yes, maybe. Your business’ place of registration is not a determinative factor. Even if you have no major branch or subsidiary in the EEA, you may be considered to have an EEA establishment if you have some (even minimal) business presence there. You have to consider whether your business carries out any "real and effective" activity in the EEA through "stable arrangements" in the EEA - a deliberately broad description. The processing of personal data in the context of those activities will likely give rise to GDPR obligations.
Q: My business has a branch in Italy (or somewhere within the EEA), but I process all the personal data in my Australian office. Do I need to worry about GDPR?
A: Maybe. It does not matter where your personal data is processed if you have an establishment in the EEA. The important question is whether the processing is inextricably linked to the activities of your EEA establishment. For example, the GDPR will apply if your sales office in the EEA is developing a marketing campaign based on the personal data processed in your Australian office.
Q: My business has a branch in Italy (or somewhere within the EEA), but I am engaging a separate organisation in Australia to process my personal data. Do I need to worry about GDPR?
A: Maybe. Again, this comes down to whether the processing activity is "inextricably" linked to the activities of your EEA establishment. Simply opting for a non-EEA entity to process your personal data does not take you out of the GDPR’s scope.
Q: I am an Australian data analytics business and we happen to have a branch in Denmark (or somewhere within the EEA). If we are engaged by a customer in China (or somewhere outside the EEA) to process data on its behalf, does the GDPR apply?
A: Yes, if the data processing is "inextricably" linked to the activities of your EEA establishment. In such a case, you will need to comply with the obligations applicable to a “processor” under the GDPR (we will post more information on processors in a later article).
Q: My business has no establishment in the EEA, but it plans to engage a German data analytics firm (or a data analytics firm somewhere within the EEA) to process its personal data. Does GDPR now apply to my business?
A: No. The GDPR would not capture your business only because it has opted for an EEA entity to process its personal data.
Q: My business has no establishment in the EEA, but a Norwegian entity (or some other entity within the EEA) wants to engage my business to process its data. Does the GDPR apply to my business if it proceeds with the engagement?
A: No, not directly by law, but it may apply indirectly through contract. While the GDPR may not apply to your business simply because your customer is in the EEA, in practice, your business is likely to be bound by a number of contractual obligations imposed on it by the EEA customer as part of the EEA customer's own GDPR compliance.
If your business processes personal data but doesn't have an "establishment" in the EEA, it might still be regulated by the GDPR if it is considered to "monitor" or "target" people in the EEA. We will explore this concept in the next GDPR article.
Note: This article is of a general overview nature only and is not legal advice or tailored to the circumstances of your business' situation, nor does it account for all of the detailed rules arising from the GDPR.
Comments