The year is 2019, end of July. The entire Swiss population is on holiday. Well, not entirely… One law firm populated by indomitable data protection lawyers still holds out against the holidays.
Joke aside, in keeping with the holiday time, we take a look at the territorial scope of the GDPR:
“Does the GDPR accompany you on holidays?”
Or in other words: many people who are normally in the EU are currently outside the EU, for example on a cultural trip to Cuba or a city trip to Zurich. Is the GDPR applicable to the river bar in Zurich, which not only knows the name of every regular guest, but also offers them their favorite drink without being asked?
The short answer is: No, the GDPR does not accompany you on holidays.
The territorial scope of the GDPR covers, on the one hand, companies that have an establishment in the EU. On the other hand, it applies to companies that have a market place in the EU, either by offering goods or services to people in the EU or by observing their behavior.
It is important to note that an establishment does not exist only when a branch or subsidiary is established in the EU, but already in case of effective and real exercise of activity through “stable arrangements”, which may already be the case, for example, with a comprehensively empowered external sales agent.
Moreover, the observation of behavior only leads to the applicability of the GDPR if it concerns their behavior within the EU – i.e. not if they are on holiday.
In particular – and this is often misunderstood – it is not the case that the applicability is linked to the status as an EU citizen, i.e. that the GDPR is applicable outside the EU only because a company processes personal data of EU citizens. If the company in question neither has an establishment in the EU nor makes a targeted (in the words of the GDPR: “apparently envisaged”) offer to people in the EU and does not observe their behavior within the EU, it does not fall within the territorial scope of the GDPR.
In short. The barkeeper at the river bar can serve and stare at his EU guests for so long. That still does not lead to the GDPR being applicable.
PS: Conversely, every non-EU tourist on holiday in the EU, such as the American residing in the Hotel Adlon at the Brandenburg Gate, is covered by the GDPR, i.a. since the protection is not linked to the status as an EU citizen.