Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, the mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The EDPB listed the factors to be taken into account when assessing, if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of the factors are:
- using languages of EU Member States or offering payments in a currency of an EU Member State;
- using google or facebook ads to address the EU market or any other marketing activity directed to EU customers;
- mentioning EU references or testimonials;
- the international nature of the activity at issue, such as certain tourist activities;
- mentioning dedicated addresses or phone numbers to be reached from an EU country;
- using of EU top-level domains;
- the description of travel instructions from one or more other EU Member States to the place
where the service is provided;
- offering the delivery of goods in EU Member States;
In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's offer, GDPR is likely to apply.
Case: A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.
Case: A Swiss University offers summer courses in international relations and specifically advertise this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such service to data subjects who are in the Union, and the GDPR will apply to the related processing activities.