Is the EU GDPR about Location or Citizenship
When is GDPR applied ?
When part of the process is applied inside EU
(agreement – payment – data collection – delivery)
- All transactions involving EU citizens who are located within the EU, doing business with companies also based in the EU, fall under the GDPR.
That is a clear case - Non-EU citizens located in the EU or EU citizens located outside the EU, and whether the product or service is being delivered within the EU or beyond its borders this have many different cases
- ‘Data subject’ is in the EU, providing personal data for a product/service also delivered in the EU, the data subject’s citizenship is irrelevant. The GDPR applies
example: A US citizen on vacation in France orders dinner online from a Paris restaurant - Data subject located in the EU ordering a product/service for delivery in the EU, but in this case, not only is the data subject’s citizenship irrelevant, so, too, is the furniture store’s location. The GDPR applies.
example: A US citizen living in France logs onto the website of a furniture store in the US and orders a bookcase, providing their EU address for delivery - Data subject located in the EU is providing data to order a product/service for delivery in the EU. The fact that it’s a digital product that’s free of charge, and the fact that the software company is located in the US, are irrelevant. The GDPR applies.
example: A French citizen living in Rome visits the website of a
software company in the US and downloads a free ebook,
providing their name, email address, and EU telephone
number in the required form - ‘Data subject’ is not in the EU, providing personal data for a product/service also delivered not in the EU, the data subject’s citizenship is irrelevant. The GDPR is not applied
- Example: A French man who lives in Egypt going to travel to Luxor booking in Emeco directly not through a EU travel agent
The GDPR is not applied but the Egyptian equivalent law is applied