The GDPR extends its ‘territorial scope’, i.e. its scope of application, to controllers and processors having their registered office in a country outside of the EU. Moreover, the GDPR applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). It is thus irrelevant where the company is located and where the processing takes place as long as the processed data pertains to individuals residing in the EU. It is also important to remember that the rules apply to both controllers and processors of personal data, e. g. cloud providers will not be exempt from the enforcement of GDPR.
A non-EU-based company (i.e. without a corporate office in the EU), which intends to offer products, goods or services to ‘data subjects’, i.e. an identified or identifiable natural person, in one or more EU countries, needs to fulfil the requirements stated in the GDPR. Even free services are covered by this regulation.
The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), in so far as their behaviour takes place in the EU. Monitoring includes the tracking of individuals online to create profiles, including where this data is used to make decisions about these individuals or to analyse or predict their personal preferences, behaviours and attitudes. However, the mere accessibility of a company’s website in the EU may not necessarily fall within this scope (GDPR Retical 23).
The EU-based representative serves as the first point of contact with your business for data subjects and the data protection supervisory authorities. Thereby enforcement of the GDPR shall be guaranteed. The designation of the representative shall be without any prejudice to legal actions that can be taken against a respective controller or processor.