1 November 2018
The GDPR has a global territorial reach.
Article 3 states that the GDPR applies to the processing of personal data in the context of the activities of an establishment (e.g. office, site) of an organization in the European Economic Area (EEA, which constitutes the 28 EU Member States as well as Iceland, Liechtenstein, and Norway), regardless of whether the processing takes place in the EEA or not.
The GDPR also applies to the processing of personal data of data subjects (e.g. research participants) situated in the EEA by a person or organization not established in the EEA, where the processing activities are related to:
Subject to a few exceptions, under Article 27, organizations subject to the GDPR’s long-arm jurisdictional reach have to appoint a “representative” in the EEA to act as their Europe-facing point of contact for individuals and local data protection authorities. The representative must be in one of the EEA Member States where the data subjects, whose data are being processed, are situated. If an organization conducts, for example, clinical trials in different Member States at different times, it may need to change its representative from time to time.
Under the “offering goods or services” test, it must be apparent that the organization intends to reach individuals in the EEA – e.g. by targeting through localized websites in an EEA language (not also an international language), with localized URLs or which have local examples. This could apply to a university in the US offering genomic testing to people in the EEA via localized websites.
If an organization monitors individuals in the EEA, then it is subject to the GDPR under the second limb. This would apply to data collected via wearables. In this case, the GDPR always applies – there is no need for the organization to be targeting individuals in the EEA.
It remains unclear if the GDPR will apply in a context where consumers, customers, or research participants of non-EEA-based organizations temporarily reside in the EEA (on holiday, work, or otherwise) and have some (incidental transmissions) of their data collected through digital technology, such as wearables, mobile phones, or other personal electronic devices.
Relevant GDPR Provisions
Edward Dove is a Lecturer in Law at the University of Edinburgh. His primary research interests are in the areas of regulation of biomedical research, research ethics oversight, health-related data access and sharing, and governance of international research collaboration.
For a list of all briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.