A hat-tip to Claire Walker and Shona Kerr for their SCL article on the above question: "Location, Location … Guidance on Applicable Law in International Data Processing Scenarios" (cheap annual subscription applies).
The "guidance" referred to is the Opinion of the EU's Article 29 Data Protection Working Party of national data protection regulators. And, naturally, the answer to the above question is that "it depends".
In essence, the factors for businesses to consider are whether you are the data controller or processor, and whether you have an "establishment" in a given EU Member State and/or are sufficiently involved in processing personal data through "equipment" or some means of processing located in that country. There are helpful detailed examples in the Opinion, but ultimately it's a question of fact and degree that will benefit from discussion with the operational or IT staff who know what's actually going on. Guidance is also given on supervision and enforcement.
In essence, the factors for businesses to consider are whether you are the data controller or processor, and whether you have an "establishment" in a given EU Member State and/or are sufficiently involved in processing personal data through "equipment" or some means of processing located in that country. There are helpful detailed examples in the Opinion, but ultimately it's a question of fact and degree that will benefit from discussion with the operational or IT staff who know what's actually going on. Guidance is also given on supervision and enforcement.
This sort of analysis is not exclusive to the law on personal data protection - many local laws and regulations may apply to your cross-border activities in another country, even if you don't operate a physical point of sale there (direct and indirect taxes being critical examples). But it's a useful illustration of the type of issues facing anyone operating on a cross-border basis.
No comments:
Post a Comment