Does GDPR Apply to EU Citizens Outside the EU?

The GDPR (General Data Protection Regulation) is the primary data protection regulation in the EU, and it governs how companies process European Union citizens’ personal data. It applies to all member states of the EU and countries in the EEA.

The regulation is valid outside the EU territory, which means it safeguards the personal information of EU residents and citizens and impacts all companies that deal with personal data, whether or not they’re outside the EU.  

Does GDPR apply outside the EU?

Yes, the GDPR applies outside the EU but under specific circumstances. The GDPR safeguards the personal data of EU citizens and residents, even if it’s transferred outside the EU borders. This means that this regulation applies to all EU-based and non-EU companies, that deal with the personal data of European residents and citizens. 

An example would be an organization from the United States that gathers data from EU citizens. The legal obligation applies to the organization as if it has its head office in the EU, even if it doesn’t have to have any offices within the borders of any European Union country. This means if the company offers services or goods to EU citizens or tracks the behavior of consumers within the EU, it must comply with GDPR. 

Does GDPR Apply to Companies Outside the EU?

 Article 3.2 of GDPR states that it applies to companies outside the EU if they are offering goods or services to EU residents and monitor the online behaviors of EU citizens.

Let us discuss both cases:

Offering goods and services outside of the EU

Article 3(2)(a) specifies that if a company outside the EU provides goods or services to EU citizens, then this company falls under the scope of GDPR. For example, a Chicago-based clothing company sells its clothes to  EU citizens.

When EU citizens order their items on their website, then GDPR applies to this company as the website will collect and process the personal data of EU citizens. In a nutshell, GDPR is meant to protect EU citizens' online data.

Monitoring the online behavior of EU citizens

As per article 3(2)(b), a data controller monitors the behavior of data subjects within the Union. However, monitoring means controllers have a particular purpose for collecting and using behavioral data. It may include a wide range of monitoring activities, such as

• Regular monitoring or reporting on a data subject's health status
• Behavioral advertisement
• Based on individual profiles, market surveys, and other behavioral studies.
• Geo-localization activities, particularly for marketing purposes 
• CCTV
• Using cookies or other tracking techniques like fingerprinting to track online activities
• Personalized diet and health analytics services online

Cyber security content marketer Roy Sarker further explains how GDPR applies to companies outside the EU.

He says, “yes, GDPR applies to companies outside the EU in two ways:

- They need to comply if they have customers in the EU

- They need to comply if they have data centers in the EU

Even if the above doesn't apply, sometimes companies will spend the effort on GDPR compliance for future growth into the EU.

Every company I've worked for had some level of GDPR compliance program, even though they were North America based, because of customers in the EU.”

Examples of General Data Protection Regulation Compliance Outside the European Union

Here are a few examples of data processing by non-EU companies and whether they’re subject to the General Data Protection Regulation.

Example One: A restaurant in Cairo, Egypt, has a website that enables customers to use its takeaway service or book a table. European Union holidaymakers often visit this restaurant and enjoy the food there. Here, the GDPR doesn’t apply because the restaurant targets local customers.

Example Two: A software company in Sydney, Australia, has built a tourist app that monitors users’ locations and suggests nearby points of interest. The app has options for tourists in Rome, London, Paris, and Sydney. The GDPR applies because this app is used by people in the European Union, whether they are visiting from elsewhere or are local.

Example Three: A Canadian citizen is on a business trip to Paris. While in Paris, they download a workout app from their hometown. The GDPR doesn’t apply in this scenario, even if the person was in the EU when their personal information was collected. For the GDPR to apply, the services or goods or tracking must target those in the EU. However, unlike in the second example, where the software company assumes that people in the European Union will use its service, that’s not the case here. The workout app is designed mainly for people living in Canada. However, Canadian citizens may also use the app while in the EU.

Does GDPR apply to European Union citizens abroad?

Many non-EU companies often argue that they have no means of knowing if a data subject is protected by the General Data Protection Regulation, especially if the person visits the organization in person or otherwise says they live locally.

Luckily, a data subject’s current location overrides their citizenship when establishing if GDPR applies. Thus, the GDPR doesn't apply to EU citizens and residents living or holidaying outside the EU.

If an EU citizen is outside the EU, they’re subject to the laws of the country they’re in. However, if they’re in the European Union territory and provide their personal information remotely--over the phone or online--the GDPR protects them. To learn more about personal information requirements, click this link to read our latest article.

Rights of European Citizens Under the GDPR

There are eight rights for European Citizens under GDPR.GDPR gives individuals the right to be informed about how their data is collected and used, resulting in various information obligations for controllers.

The following are eight rights of European citizens under GDPR:

1. The Right to Information: Under GRDP, individuals have rights regarding how companies process their personal data.
   
   
2. The Right of Access: Data subjects can obtain personal data about them.
   
   
3. The Right to Rectification: Individuals can ask to complete incomplete data and to correct inaccurate data.
   
   
4. The Right to Erasure: It’s also known as the right to be forgotten. Citizens can request to delete data permanently if it is no longer needed or it’s illegal to process.
   
   
5. The Right to Restriction of Processing: Individuals have the right to restrict personal data's processing under certain conditions temporarily.
   
   
6. The Right to Data Portability: Data subjects can request their data from the data controller in a machine-readable format and send it to another controller or use it for personal needs.
   
   
7. The Right to Object: Individuals can object to data processing in specific circumstances like marketing, research, or public interest tasks.
   
   
8. The Right to Avoid Automated Decision-Making: Data subjects have the right to demand human intervention instead of automated processing. Companies must disclose to individuals that they will use algorithm decision-making and inform them to opt for t it.

What Countries Does the GDPR Cover?

GDPR covers all 27 European Union countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

It also covers European Economic Area countries.EEA countries are Lichtenstein, Iceland, and Norway.

As the UK is not a part of the EU, it follows a new law UK-GDPR that is similar to GDPR.UK has adopted the entire structure of EU GDPR into its legislation. However, the UK has made some changes to laws related to national security, intelligence service, and immigration.UK-GDPR. It came into effect on  20 January 2020.

Albania, Belarus, Bosnia and Herzegovina, Croatia, Kosovo, Moldovia, Montenegro, North Macedonia, Russia, Serbia, Turkey, and Ukraine are part of Europe, but they‘re not adopting GDPR. However, they are bound to follow GDPR if any of their companies collect data from EU member countries.

Final Thoughts

GDPR is specifically designed to protect the personal information of EU citizens and residents. Therefore, it only applies to EU citizens and residents inside the EU. However, it also applies to all companies that process the personal data of EU citizens, regardless of whether or not a company is based in the EU.