When does GDPR apply to a company not established in the European union?
The regulation determines its territorial scope in Article 3 (2) of the regulation. A company based in Singapore must comply if it engages in either of the following activities:
- Offering goods and services to data subjects in the EU;
- Monitoring the behavior of data subjects in the EU.
While performing these activities the company must process personal data of the data subjects. You can find simple descriptions of the used terms below.
What is a data subject?
A data subject is a natural person. Companies and other organizations are not considered data subjects under the regulation but their owners, directors, representatives and employees are. It is important to note that the application of the GDPR is not limited to citizens of member-states of the EU but also to residents of the Union. If a Singaporean citizen visits the EU even if only for tourism, he becomes a data subject for the time of his stay.
Data subject rights under GDPR
GDPR focuses on the rights of data subjects and this should be the primary concern of your business regarding compliance with the European data protection regulation. If any negative consequences are to be expected for your company, they will be triggered by signals of data subjects who address the respective supervisory authority in the EU. It is crucial that you make sure not to violate any of the following data subject rights under GDPR:
- The right of a data subject to access his personal information
- The right of a data subject to request changes of incorrect data
- The right to be forgotten (erasure of personal information)
- Transferability of personal data (the right of a consumer to request his personal data to be presented to him in a machine-readable format)
- The right to object against automatic processing of data
- The right to file a complaint to the relevant supervisory authority
You need to know how data subject rights interact with your rights and legal interests as a business in Singapore. Under certain legalities, you are entitled to ignore the data subject rights in order to protect your valid interests or comply with different laws.
Which data is personal?
Any information which can lead to the identification of an individual. Of course, they include name, personal identification number and passport data. However, there is other information which is less intuitively associated with personal data: phone number, photo, email address, IP address. Private data is also the information for the private life of an individual – education, work experience, ethnicity, religion and others.
What means processing of personal data?
Every activity regarding personal data is considered processing. Collection, use, modification and transfer of data are the most common forms of processing.
What constitutes “offering goods and services”?
The case for goods is clear. The service part is more vague. A service is something that your business performs for a customer. It is important to note that whether a payment of the data subject is required is irrelevant. The offer must be targeted at data subjects residing in the EU. If you have a Singaporean customer who goes to a vacation in the EU this won’t suddenly make him a data subject.
What constitutes ”monitoring the behavior of data subjects”?
This mostly applies to various online tools for monitoring the behavior of website users – cooking, geolocating, behavior-based advertising. It implies the collection and further use of behavioral data of a user. The monitored behavior must take place in the EU but it is safe to assume that as long as you monitor the behavior of a data subject it does take place in the Union.