On 25 May 2018, the GDPR entered into force. This means that from that date, compliance with its provisions is mandatory for natural and legal persons residing or established in the European Union. However, under certain conditions, the GDPR can also apply to natural and legal persons in Serbia.
Given that the GDPR breach provides for extremely high penalties if you own a Serbia-based company with the establishment in the EU (conditions are listed below), it is useful to know when your company is subject to the GDPR.
There are three possible case scenarios under which GDPR may apply to you:
In this blog post, we will focus on the GDPR that applies to data controllers with a presence in Serbia (Case No. 2).
Since GDPR provisions are wide, and therefore subject to different interpretations, the European Board for Data Protection (EDPB) issued Guidelines on the territorial scope of the GDPR, in order to clarify, among other things, in which cases GDPR applies to companies headquartered outside the EU. The Guidelines clarify the following:
- offering goods or services to data subjects who are physically in the EU,
- monitoring of the behavior of data subjects in the EU, as far as their behavior takes place within the EU.
The EDPB clarifies two frequent misconceptions:
- GDPR applies only to data controllers and data processors with the establishment in the EU,
- GDPR always applies to data controllers and data processors that process data of a data subject who is a citizen of one of the EU Member States.
If a controller or a processor established in Serbia processes data of an EU Member State citizen, that does not imply automatic application of the GDPR.
As an example, let’s take a Serbian IT company that processes data of French citizens (data subjects who are EU citizens) located in Serbia, with the purpose of offering goods or services on the territory of the Republic of Serbia. Does this company have to comply with the GDPR?
The answer is: NO
Now, let’s assume that a Serbian IT company processes data of a data subject (any country’s citizen) who is, at the moment of offering goods or services on behalf of a Serbian IT company, located on the territory of one of the EU Member States. Does this company have to comply with the GDPR?
The answer is: YES
Therefore, in order for the GDPR to apply to controllers and/or processors based outside of the EU, it doesn’t matter whether the processed data belongs to data subjects who hold citizenship or temporary or permanent residence in one of the EU Member States. What is important is that the data subjects are physically located in the European Union.
The European Data Protection Board provides a good example that explains that GDPR applies to all individuals physically present in the EU.
Regardless of the duration of the “offering of goods or services”, for the application of the GDPR, it is sufficient to process the personal data of individuals who, at the moment of offering goods or services, are located on the territory of one of the EU Member States – regardless of whether they have paid for those goods or services. In other words, the data processing carried out for this purpose, without the final purchase of these goods, i.e., the payment for services, suffice for imposing rigorous penalties prescribed by the GDPR in case of non-compliance.
On the other hand, if a data controller or data processor based outside the EU processes the personal data of individuals located in the EU, that is not an adequate basis to apply the provisions of the GDPR. What is necessary, is that the purpose of this data processing is to offer goods or services to these individuals, or to monitor their behavior within the Union.
But how to determine whether the data of the data subjects who are located in the EU is processed with the intention of offering the goods or services, or in order to monitor the behavior of the individuals within the Union?
For these reasons, the EDPB provided instructions in their Guidelines that should be followed in order to determine the answer to this question.
The EDPB provided instructions in their Guidelines that indicate that the data of these data subjects are processed precisely for these reasons.
In the event of several of the above-mentioned criteria, the EDPB holds the opinion that data of data subjects located within the European Union are processed precisely for the purpose of offering goods or services. In other words, the GDPR applies to such controllers and/or processors.
As one example when it is considered that a controller with an establishment outside the EU processes the data of the individuals located within the EU member state in order to offer the goods or services, EDPB published the following:
On the other hand, data processing of EU Member State citizens who are employed in a company in Serbia, for the purpose of paying salaries is not considered data processing with the purpose of offering goods or services. Hence, such a company is not required to comply with the GDPR.
The European Data Protection Board has provided an interpretation of when it is considered that a controller, or processor, monitors the behavior of individuals in the EU and their behavior that takes place within the Union.
Primarily, it should be noted that monitoring involves monitoring people via the Internet or profiling them in order to analyze or predict their personal preferences, behaviors, and attitudes.
Monitoring can take the form of:
– advertising, based on the person’s behavior,
– monitoring geo-location for marketing purposes,
– Personalized diet and health analytics online services,
– Market surveys and other behavioral studies based on individual profiles,
– Monitoring or regular reporting on an individual’s health status.
The European Data Protection Board also cites an example where a retailer, or a processor with an establishment outside the European Union, is processing personal data of data subjects who are in the EU in order to monitor their behavior within the Union.
It should be mentioned that when each of these criteria is taken separately, it does not indicate that goods or services are offered to people who are in the European Union, i.e., that their behavior is being monitored. Nevertheless, a combination of several of these criteria leads to the conclusion that they are the target group.
If, within your business operations, you conduct any of the following activities:
- Process information about data subjects physically present in the European Union in order to offer the goods or services, regardless of whether the data subject whose data is being processed should pay for those goods or services,
- Monitor the behavior of these data subjects, as far as their behavior takes place within the EU,
it is necessary to comply with the GDPR procedures in order to avoid paying astronomical fines.
An indicator of how important it is to comply with the GDPR certainly is the decision of the French Data Protection Authority (CNIL) to impose a fine of 50,000,000.00 euros on Google, which we talked about in detail in our news section. This decision should be a warning to data controllers and data processors established in Serbia, especially those to whom the GDPR applies – to honor their obligations under the GDPR on time and in total, as the non-compliance entails serious sanctions.