No one could have predicted what was on the horizon as we entered 2020. The COVID-19 pandemic has had a sudden and profound impact on investment decisions all over the world, including Poland. The future economic recovery is not going to be a simple return to „business as usual” and environmentally destructive investment patterns and activity should be avoided. The future economic recovery will need to be designed as „building back better” and compliance with the regulatory regimes will be at the top of the agenda.
As we now enter 2021, it is worthwhile to check whether your business in the EU (or with the EU countries) have to comply with the European rules on the General Data Protection Regulation (GDPR). The answer is not obvious and it requires a proper analysis in each case taking into account the processing activities. The GDPR was introduced two years ago but many businesses have not implemented it yet and this could be a real problem for them in Poland as the fines here are substantial. One of the first things to do is to check the territorial scope.
The territorial scope of the GDPR is set out in Article 3 of the legislation. The provisions are intended to ensure comprehensive protection of data subjects' rights and this is the main objective of this legislation. What it means for companies operating internationally is that they should conduct careful assessments of whether the GDPR applies to their processing activities.
Article 3 of the GDPR sets out the two basic limbs of the territorial scope. The first being where data processing activities are conducted by organisations (controller or processor) established in the EU - a principle well established under European case law. The second limb is new and extends the territorial reach with two types of business activities, i.e. data processing activities relating to:
- offering of goods or services (even if for free) to data subjects situated in the EU (not restricted to EU citizens); and
- monitoring of the behaviour of such data subjects.
Businesses that are established in the EU plainly fall under the terms of the GDPR, in the same way that they currently fall within the remit of the Data Protection Directive.
Businesses outside of the EU also fall under the terms of the GDPR if a business offers goods or services in the EU or monitors the behaviour of EU citizens, irrespective of whether it has a presence in Europe. So, for instance, if a Japanese company is offering its services to clients in Poland which involves some data processing activities, it should abide the GDPR rules such as data minimalization, security, integrity and confidentiality of data, transparency on data processing and protection of rights of individuals.
Article 3 of the GDPR states as follows:
1. Art 3(1): the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
2. Art. 3(2): the Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the EU.
- 3. Art. 3(3): the Regulation applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
As we can see, the territorial scope of the GDPR is extensive. It is not only limited to the EU internal borders, as recognized by the general territoriality clause related to the EU Treaties. It may go well beyond this scope. This means that controllers that are established outside the EU should be obliged to abide the GDPR, as far as there is a direct connection with the EU.
Back to list
September 23, 2021
The data protection landscape is changing constantly. The EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018....Read more
September 22, 2021
We describe below how to establish a private limited company in Poland (sp z o.o). Private limited companies are one of the types of companies...Read more
September 21, 2021
The Polish Parliament (Sejm) will soon adopt significant changes to the Commercial Companies Code (the Act). Among other things, the Act would...Read more