Skip to Content

GDPR - Identification of PII

280  Matthew Burdick September 27, 2022  Territorial Scope


Recital - 22.
Processing by an Establishment
Executive Summary
GDPR applies to data related to persons or activities which occur within the EEA regardless of where the data is processed, used, or stored.
Recital Text
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.Establishment implies the effective and real exercise of activity through stable arrangements.The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Recital - 23.
Applicable to Processors not Established in the Union if Data Subjects within the Union are Targeted
Executive Summary
GDPR applies to data related to persons or activities which occur within the EEA regardless of where the data is processed, used, or stored.
Quick Wins
If your company offers goods or services in a European language or localization, it is accepted that your business is targeting residents of the EU.
Recital Text
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
, 24
Recital - 24.
Applicable to Processors not Established in the Union if Data Subjects within the Union are Profiled
Executive Summary
GDPR applies to data related to persons or activities which occur within the EEA regardless of where the data is processed, used, or stored.
Quick Wins
Based on this guidance, the following factors (among others) may be strong indications that a non-EU business is offering goods or services to data subjects in the EU and may therefore be subject to the GDPR: Use of the language of a Member State (if the language is different than the language of the home state);
Use of the currency of a Member State (if the currency is different than the currency of the home state);
Use of a top-level domain name of a Member State;
Mentions of customers based in a Member State; or
Targeted advertising to consumers in a Member State.
Under the second prong of Article 3(2) , businesses monitoring the behaviour of individuals in the EU also are subject to the GDPR's requirements. The Recitals specifically contemplate tracking individuals online for purposes of creating profiles, “particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviours and attitudes.”
Recital Text
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Recital - 25.
Applicable to Processors Due to International Law - Executive Summary
GDPR applies to data related to persons or activities which occur within the EEA regardless of where the data is processed, used, or stored.
Recital Text
Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.
Executive Summary
Personally Identifiable Information of EU Citizens and those within EU territories that is processed, used or stored shall be identified. The location of the data should be tracked at all times and ownership of the data should be maintained. This includes any third parties performing processing or storage.
Rating: 5 (1 Votes)
Secure Code