The GDPR also applies to controllers and processors who are not established in the Union but process the personal data of data subjects who are in the Union. These processing activities relate to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, OR
- the monitoring of data subjects' behaviour as far as their behaviour takes place within the Union
The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The controller or the processor must designate a representative who shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.
For examples and further clarity, see here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018