If you offer goods or services in the European Union or monitor the behavior of consumers/ individuals in the European Union, the GDPR applies to you.
Supply of goods or services in the EU According to Art. 3 paragraph 2 item l. GDPR, the processing of personal data relating to the supply of goods or services in the EU, irrespective of whether a fee is required, falls within the territorial scope of the application of GDPR. In order to determine whether these goods or services are directed to the EU market, it should be determined whether the controller or processor specifically envisages the provision of goods or services in one or more EU Member States.
For example, it does not mean that an Australian company offers its products or services in Ireland just because its website is available in English. The company must intend to address European consumers. The right to the availability of a website is not enough to establish such intentions. Indicators for targeting individuals from the EU can be, for example, the use of a language commonly used in one or more EU Member States; acceptance of currency (in particular, euro); referring to consumers or customers from Europe; possibility of delivery to one or more Member States; the domain name of a website that refers to one or more EU Member States.
For example, imagine a Serbian company registered in the Republic of Serbia that runs an online store. The company does not have a representative office abroad, and the online store is available in Serbian and English. The company stores customer information. Payments are made in dinars and in euros, and deliveries are possible for Spain, Denmark, France and Italy. If clients from those EU countries go to the company's website, they are redirected from the "Kompanija.rs" domain to " Kompanija.com/es", " Kompanija.com/dn", etc. ie. if, for example, the user chooses France, the website appears in French, and the domain name changes from "Kompanija.com" to "Kompanija.com/fr". In this example, a separate domain name for European customers, the ability to pay in euros and the ability to deliver to certain EU Member States leads to the conclusion that the Company offers its goods/ services to EU customers, which means that GDPR is applied.
Monitoring consumer behavior in the EU According to Article 3, paragraph 2, point b. of the GDPR, the processing of data relating to the monitoring of consumer behavior in the EU, as long as their behavior is within the Union, it falls within the scope of the application of GDPR. In order to determine whether behavior is qualified as a "monitoring" in accordance with this article, it is necessary to determine whether individuals are tracked on the Internet, including the potential subsequent use of personal data processing techniques that comprise the profiling of an individual.
It should be noted that, even without cookies, the search engine can allow website providers to identify users and monitor their behavior: each browser inevitably transmits a set of data when accessing a web page to enable the optimized display of the specified website. This data allows the service provider to generate a single browser that can, in combination with additional information such as an IP address, identify the user when he re-accesses the said web page.
For example, imagine a Chinese company located in China and selling products for home use online. Products can only be paid in US dollars, and no delivery to Europe is offered. However, the company wants to analyze the European market because it is considering expanding its business. Anyone who accesses the website must accept the use of cookies, and the Company analyzes IP geolocation data to determine the country where the user is located. The company processes the information obtained to find out how many European customers from which EU Member States visited the website and what they are mostly interested in. In this example, the Company uses web tracking to analyze the wishes of buyers who are in the EU, which means that GDPR is applied.
Retrived from: GDPR Solutions
