Though General Data Protection Regulation (GDPR) was adopted in the European Union, it has extraterritorial force and also applies to non-EU companies which meet certain criteria.
The GDPR (i.e. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) applies to all companies which are based in the European Economic Area (EEA) and process (e.g. collect, store, use, disseminate etc.) personal data regardless of whether the data processing takes place: in the EEA or not. By the way, the EEA includes all the EU countries as well as Norway, Liechtenstein and Iceland.
Moreover, a company, which is not based in the EU/EEA country, also has to comply with requirements of the GDPR, if such company processes personal data of people who are in the EEA and its data processing activities are related to:
It is worth noting that the GDPR applies to processing the data of individuals who are physically on the territory of any of the EU/EEA countries. This is not limited to citizenship, residence or other legal status in such countries.
Thus, the GDPR applies to non-EU/EEA companies which meet so called “targeting criteria”, for instance, if a non-EU/EEA company offers goods or services to people in the EU/EEA (for free or for a payment), i.e. targets the EU/EEA consumers. As the law-enforcement practice shows, it is enough for the European data protection authorities to find out that a company intends to offer goods or services to people in the EU/EEA. While assessing such intention, different factors are taken into account, for instance:
For instance, if an on-line shop which is based in Switzerland indicates prices in EUR or offers to deliver products to Germany, such e-commerce business has to comply with GDPR requirements. Sending promotional e-mails to people who live in the EU countries is also subject to the GDPR..
Moreover, the GDPR also applies to those non-EU/EEA companies which monitor the behaviour of people in the EU/EEA, for instance: in case a Swiss company applies web tools on its website which allow to track cookies or IP addresses of those people who visit its web-site from the EU countries and analyse their behaviour.
Examples of monitoring behaviour of people include, inter alia, behavioural advertisement, geo-localization, online tracking through cookies and other tracking techniques, health analytics online services, etc. As far as the EU is the largest trading partner of Switzerland, there are a lot of Swiss companies, which meet any of the abovementioned “targeting criteria”, and therefore, should comply with requirements of the GDPR.
A number of countries have their own data protection legislation, for instance, Federal Act on Data Protection in Switzerland, the Data Protection Act in the United Kingdom, Law on Personal Data Protection in Ukraine, etc. However, the European General Data Protection Regulation (GDPR) is considered to be the strictest privacy and security law in the whole world. Non-compliance with the GDPR may entail a number of negative consequences, inter alia, imposition of a fine for the total of up to 20 million EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (depending on the severity and circumstances of the GDPR violation). Thus, the total worldwide annual turnover of a group of companies can be used in order to calculate a fine for the GDPR violation of one of its companies. Except for the fine, a company which has violated GDPR may also face:
As a rule, the GDPR is enforced not only due to inspections which are carried out by the European data protection authorities, but also due to proactive position of the civil society, for instance, due to complaints filed to the authorities by customers (including potential ones), unsatisfied employees or associations, as well as due to messages in the mass media (e.g. publications of investigative journalists) etc. Thus, there is quite a high level of likelihood that any violation of GDPR may be revealed sooner or later.
Besides, the EU has a number of tools to enforce the GDPR in the territory of non-EU countries, inter alia mutual legal assistance treaties with different countries, etc.
We would recommend companies, including those which are based in non-EU countries:
Contact our experts
firstname.lastname@example.org+41 61 202 91 91
email@example.com+41 61 202 91 91
We are happy to answer any questions you may have.
© 2022 Amatin AG