May 25, 2018, is around the corner and many people (including privacy professionals) are anxious and doubtful about certain enforcement aspects that the General Data Protection Regulation (GDPR) will bring with it, as soon as it is applicable as provided by its article 99.2.
One of the many changes that GDPR is introducing is its territorial scope rules. These rules will make GDPR one of the most impacting European laws in recent years, and it will obligate certain companies to rethink the way they are providing time, efforts and money to data protection compliance.
Article 3.2. of GDPR has a lot of history, but let's just say that when approved the European Union (EU) was ready and determined to make it clear: we will protect personal data of data subjects who are in the Union from whoever process them and despite the place of the world such processing occurs. We shall not forget what the EU legislator said in recitals 23 and 24:
"(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. [...]"
"(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. [...]"
Clear statements that were followed by concrete steps to transform EU's former data protection legal framework (i.e. Directive 95/46/CE and 28 national data protection laws) into one solid and unique set of rules that look to provide worldwide protection to personal data to data subjects who are in the Union.
And now, data controllers all around the world are wondering if they must comply with GDPR and how that will do it correctly.
In this space, we can briefly refer to real scenarios happening in Mexico.
Offering of goods and services (GDPR: Article 3.2.a)
Despite being working with one of our clients since late 2017 in order to prepare its group of companies for the application of the GDPR, reality knocked at the door sooner than expected.