Applies in such situations and, consequently, supports online platforms to deal with GDPR' obligations.
In general terms, from a GDPR perspective:
- Article 3(2)(a), of the GDPR states that the GDPR "applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union";
- Recital 23 of the GDPR clarifies that "In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union”; the recital further specifies that "Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union".
In this regard, the EDPB Guidelines 3/2018 on the territorial scope of the GDPR ("Guidelines") clarify that a "key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union".
In detail, according to the Guidelines, the mentioned "intention" shall be assessed on a case by case basis, "in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union".
In this context, the Italian Authority stated that the "intention" that leads to GDPR application to an online platform owned by an entity located outside of the European Union – despite the absence of an establishment in the European Union – can be determined taking into account:
a) The creation of versions of the website specifically aimed at users of one or more Member States;
b) The mention of clients or users located in the European Union.
Moreover, the Italian Authority clarified that the mere availability and accessibility to anyone of articles – specifically, encyclopaedic articles – constitutes the offering of a service to data subjects in the Union, pursuant to the aforementioned Article 3(2)(a) of the GDPR (particularly, in the case at stake, the platform provides services aimed at ensuring the reliability of sources, which can be considered as an "intention" to offer specific services to people in the European Union).
In light of the above, online platforms shall assess in concreto whether the GDPR applies to them, taking into account all elements that could envisage an "intention" to offer services and goods to users located in the European Union.
Authors: Francesco Falco, Chiara Arcidiacono, Livia Lo Dico