Site Search

Menu

Insights & Media

Menu

Blogs & Articles

Menu

Radio & TV interviews

Featured

27th CEO Survey: Middle East findings

The New Equation

Loading Results

EU General Data Protection Regulation: Applicability to the Middle East

Under certain circumstances, the territorial provisions of the General Data Protection Regulations (GDPR) will ‘catch’ and apply to organisations in the Middle East even if those organisations do not have any branches or subsidiaries in Europe. When does this occur and what are the implications?

In November 2018 the European Data Protection Board (EDPB) (the EU body that works to ensure that the data protection law is applied consistently across the EU) issued guidance clarifying in what circumstances the GDPR would apply to organisations outside the EU.

Set out below is a non-exhaustive list of factors that can assist Middle East organisations in determining whether the GDPR applies to them. Importantly, although neither the GDPR nor the EDPB guidelines state how these factors should be weighted, they do indicate that all of them should be taken into consideration.

Middle East organisations that determine that they are not subject to the GDPR based on the factor below would nonetheless do well to document the rationale for this decision. Should an EU regulator ever come knocking on foot of a complaint from an individual in Europe, the organisation will be able to demonstrate that it recognised the importance of the GDPR but systematically determined why it was not subject to the GDPR.

Do you have an establishment in the EU that is processing personal data on your behalf?

Middle East organisation will need to consider whether it partners with any third party to advertise its services, find customers, or perform any other of its operations in Europe.

Targeting EU users with advertising campaigns?

Actively advertising can include attending trade shows, running online ads, email campaigns, working with European PR agencies to publish articles, or being part of an affiliate network that targets European audiences.

Do you personalise your goods or services for EU customers?

If a Middle East organisation translates its services/goods/website into EU languages; has a EU top-level website domain; delivers goods to Europe; mentions European customers and use cases; allows customers to purchase its goods/services in EU currency; provides EU contact details (e.g. a phone number), the GDPR may apply.

Monitoring European users

The notion of monitoring under the GDPR asks whether a Middle East organisation tracks users on the internet in order to create profiles used to take decisions to analyse/predict preferences, behaviours or attitudes (e.g. through the use of website cookies).

< Back

< Back
[+] Read More

A software company

A software company with head office in Dubai has a fully-owned branch and office located in Portugal overseeing all its EU operations, including marketing and advertising. The Portuguese branch could be considered to be a stable relationship with the Dubai headquarters, which exercises regular and systematic business activities on behalf of the Dubai manufacturing company.

The Portuguese branch could be considered to be an establishment in the EU. Therefore the GDPR would apply to the Portuguese branch and the Dubai headquarters.

A cosmetics company

A cosmetics company based in Ireland moves all its personal data processing activities relating to clinical trial data in its branch based in Abu Dhabi. According to the company structure, the Abu Dhabi facility not a legally separate entity and the Irish company decides what, why and how personal data will be collected and used by the Abu Dhabi facility branch on its behalf.

Even though the data processing activities are taking place in Abu Dhabi, that processing is carried out for and on behalf of the pharmaceutical company in Ireland. The GDPR therefore applies to the Abu Dhabi facility.

An Omani company

An Omani company contracts a Finnish company to process personal data on its behalf, which is sent to Finland from Oman. The Omani company offers and directs its services exclusively at the Middle East market and its processing exclusively concerns people located outside in the Middle East. No services are directed at people in the EU, nor it does track people online (via cookies etc.).

The processing by the Omani company is not subject to the GDPR. The Finnish company, being based in the EU, is subject to the GDPR for any data processing carried as part of its business activities.

Contact us

Richard Chudzynski

Richard Chudzynski

Data Privacy and Protection Legal Leader, PwC Legal Middle East

Tel: +971 56 417 6591

Linkedin Follow Email
Follow us
Issues Navigating data privacy regulations New world. New skills. Responding to the potential business impacts of COVID-19 Doing Business in the Middle East VAT in the Middle East Megatrends Now: The need to ADAPT
Services Assurance and Audit Consulting Deals Entrepreneurial & Private Business PwC's Academy Tax and Legal Strategy&
Industries
Banking and Capital Markets Consumer Markets Energy, Utilities & Resources Financial Services Government/Public Services
Health Industries Industrial Manufacturing Real Estate Transportation and Logistics
About us PwC office locations in the Middle East Our purpose and values Corporate Sustainability Code of conduct Transparency reports Health, Safety and Environment Policy Third party code of conduct PwC’s global human rights statement Alumni
Publications
Careers Graduate & undergraduate careers Experienced careers Opportunities for Omani nationals Opportunities for Saudi nationals PwC's Watani Graduate Programme for UAE Nationals
Media centre Press releases Articles and blog posts TV and radio interviews

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.