EU General Data Protection Regulation: Applicability to the Middle East

Under certain circumstances, the territorial provisions of the General Data Protection Regulations (GDPR) will ‘catch’ and apply to organisations in the Middle East even if those organisations do not have any branches or subsidiaries in Europe. When does this occur and what are the implications?

In November 2018 the European Data Protection Board (EDPB) (the EU body that works to ensure that the data protection law is applied consistently across the EU) issued guidance clarifying in what circumstances the GDPR would apply to organisations outside the EU.

Set out below is a non-exhaustive list of factors that can assist Middle East organisations in determining whether the GDPR applies to them. Importantly, although neither the GDPR nor the EDPB guidelines state how these factors should be weighted, they do indicate that all of them should be taken into consideration.

Middle East organisations that determine that they are not subject to the GDPR based on the factor below would nonetheless do well to document the rationale for this decision. Should an EU regulator ever come knocking on foot of a complaint from an individual in Europe, the organisation will be able to demonstrate that it recognised the importance of the GDPR but systematically determined why it was not subject to the GDPR.

Do you have an establishment in the EU that is processing personal data on your behalf?

Middle East organisation will need to consider whether it partners with any third party to advertise its services, find customers, or perform any other of its operations in Europe.

Targeting EU users with advertising campaigns?

Actively advertising can include attending trade shows, running online ads, email campaigns, working with European PR agencies to publish articles, or being part of an affiliate network that targets European audiences.

Do you personalise your goods or services for EU customers?

If a Middle East organisation translates its services/goods/website into EU languages; has a EU top-level website domain; delivers goods to Europe; mentions European customers and use cases; allows customers to purchase its goods/services in EU currency; provides EU contact details (e.g. a phone number), the GDPR may apply.

Monitoring European users

The notion of monitoring under the GDPR asks whether a Middle East organisation tracks users on the internet in order to create profiles used to take decisions to analyse/predict preferences, behaviours or attitudes (e.g. through the use of website cookies).

A software company
A cosmetics company
An Omani company

A software company

A software company with head office in Dubai has a fully-owned branch and office located in Portugal overseeing all its EU operations, including marketing and advertising. The Portuguese branch could be considered to be a stable relationship with the Dubai headquarters, which exercises regular and systematic business activities on behalf of the Dubai manufacturing company.

The Portuguese branch could be considered to be an establishment in the EU. Therefore the GDPR would apply to the Portuguese branch and the Dubai headquarters.

A cosmetics company

A cosmetics company based in Ireland moves all its personal data processing activities relating to clinical trial data in its branch based in Abu Dhabi. According to the company structure, the Abu Dhabi facility not a legally separate entity and the Irish company decides what, why and how personal data will be collected and used by the Abu Dhabi facility branch on its behalf.

Even though the data processing activities are taking place in Abu Dhabi, that processing is carried out for and on behalf of the pharmaceutical company in Ireland. The GDPR therefore applies to the Abu Dhabi facility.

An Omani company

An Omani company contracts a Finnish company to process personal data on its behalf, which is sent to Finland from Oman. The Omani company offers and directs its services exclusively at the Middle East market and its processing exclusively concerns people located outside in the Middle East. No services are directed at people in the EU, nor it does track people online (via cookies etc.).

The processing by the Omani company is not subject to the GDPR. The Finnish company, being based in the EU, is subject to the GDPR for any data processing carried as part of its business activities.

Do you have an establishment in the EU that is processing personal data on your behalf?

Targeting EU users with advertising campaigns?

Do you personalise your goods or services for EU customers?

Monitoring European users

A software company

Download to find out more EU GDPR: Applicability to the Middle East

Contact us