Does the GDPR apply to New Zealand organisations? As the GDPR deadline of May 25th 2018 draws closer, this is a question that many New Zealand organisations are probably asking themselves.
Luckily, the GDPR provides a concise answer in Article 3 Paragraph 2 that can help:
“A New Zealand organisation is subject to the GDPR if it processes personal data of EU Data Subjects because it is offering goods or services to those EU Data Subjects, or because it is monitoring the behaviour of those EU Data Subjects.”
Or, if you would prefer to read the official paragraph:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union”
However, this definition contains several specific terms, which give way to further questions (that you may be asking yourself already), such as:
- “Who are Data Subjects in the Union?”,
- “What is the difference between a Data Controller and a Data Processor?”,
- “What counts as ‘offering’ goods or services”,
- “What does ‘monitoring’ mean?”.
This blog post will help to answer these questions, and at the end we will analyse some business examples.
Who are Data Subjects in the Union?
Short Answer: A Data Subject is any individual physically in the European Union, regardless of nationality or place of residence.
Rationale: The GDPR Recital 14 helps to answer this question. It states:
”The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
Personal data is described as any information relating to an identifiable natural person. This is similar to the New Zealand Privacy Act’s definition of personal data referring to a ‘living person’.
This suggests that the GDPR is designed to protect all personal data, not just the personal data of EU Citizens or residents, so long as their information is being processed in respect to a product or service being provided in the EU. This is important to understand, as it means that the GDPR could also apply to the data of a tourist/visitor of the EU.
However, it’s important to note that this isn’t clearly outlined by the GDPR itself, and this answer is based on interpretation.
Refer to the below links for a more thorough analysis on the subject:
https://www.linkedin.com/pulse/gdpr-does-apply-eu-citizens-gregory-albertyn/
https://cybercounsel.co.uk/data-subjects/
What is the difference between a Data Controller and a Data Processor?
The difference between Data Controllers and Data Processors is clearly defined in the GDPR.
Plain English Definitions
Data Controller: A Data Controller is an entity that decides why personal data needs to be processed, what personal data needs to be processed, and the required methods of processing.
Processor: A Data Processor is any entity which processes personal data on behalf of the Data Controller.
Processing: Processing covers any operations performed on personal data, by automated or non-automated means. This includes: “collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available alignment or combination, restriction, erasure or destruction”.
Legal Definitions
The GDPR Article 4 Section 7 defines a Controller as:
“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law GDPR Article 3 describes ‘Territorial Scope’. This is what defines whether a New Zealand organisation is required to conform with the GDPR.”
Article 4 Section 8 defines a Processor as:
“’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Article 4 Section 2 defines Processing as:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
These definitions are sufficient to cover the aims of this blog post, but further analysis will be required in order to discuss organisation responsibilities and requirements, and the complex business relationships that will need to be built between Controllers and Processors.
What is defined as ‘offering Goods or Services’?
A New Zealand organisation is seen as offering goods or services to data subjects in the EU if it is apparent that they ‘envisage’ offering goods or services to Data Subjects in the EU.
How is this decided? Various factors (outlined in The GDPR Recital 23) could be taken into account, such as the organisation:
- Offering EU language options facilitate the ordering of goods or services (discounting English for English speaking countries), such as French, German, Italian, etc.
- Offering the use of European currencies to purchase goods or services.
- Mentioning customers or users who are in the Union
Other factors (not outlined in the Recital) could be things such as:
- Offering shipping to the EU
- Having nation specific domains (.fr, .co.uk etc.)
This is outlined in the GDPR Recital 23, which reads:
“In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
What is defined as ‘Monitoring’?
The GDPR Recital 24 defines ‘Monitoring’ as:
“In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
To summarise, a NZ organisation may be seen to be monitoring the behaviour of EU Data Subjects if they:
- Track natural persons (Data Subjects in the EU) on the internet
- Use data processing techniques to develop profiles or monitor behaviour (e.g., this could be done for targeted advertising campaigns).
Examples
To make this blog post slightly more helpful (and digestible), here are some simple examples of organisations that may or may not be subject to the GDPR, along with some analysis and explanations of the answers.
Example 1
A European tourist comes to New Zealand for a holiday and rents a car from a NZ car rental company. Does the GDPR apply to the NZ company?
Answer: No. The service is not being offered to the EU, the rental car will be used in New Zealand. While the Data Subject might be from the EU, they are not ‘in the EU’.
(Credit card information may be transferred from the EU to NZ and processed in order to complete the transaction, but this transaction will likely be between financial institutions, and not between the car rental company and the tourist)
Example 2
A New Zealand tourist goes to Europe for a holiday and rents a car from a European company. Does the GDPR apply to the European company?
Answer: Yes. The service is being offered in the EU. The Data Subject being from New Zealand is irrelevant.
Example 3
A New Zealand tourist in Europe buys an item from a New Zealand e-commerce company, and has it shipped to their hotel in Europe. Is the New Zealand company subject to the GDPR?
Answer: Yes. The service is being offered in the EU. The Data Subject being from New Zealand is irrelevant.
Example 4
A European company collects personal data from Data Subjects in the EU, and transfers it to a New Zealand partner to store. Is the New Zealand partner subject to the GDPR?
Answer: Yes. The New Zealand company is acting as a Data Processor for the Data Controller and is subject to the GDPR.
Conclusion
GDPR will be in force within a couple of months and will likely impact New Zealand service providers that have customers and services in the EU. Axenic has developed a specific Privacy Impact Assessment offering to guide you through meeting your obligations under GDPR. Contact us on enquires@axenic.co.nz if you’d like to have a chat about how we can help.