The European Data Protection Board (EDPB, the coordinating body of the EU data protection authorities) has published its initial guidelines on the territorial applicability of the GDPR providing helpful examples.It is important to note that the guidelines are open for consultation and therefore not the final version.
The guidelines will be crucial for our clients outside the EU/EEA to determine whether the GDPR applies to them, and particularly whether any of their activities could be considered offering goods and services to EU residents (which makes the GDPR applicable). The guidelines include a particle example of a Swiss university (example 14). As described in our GDPR white paper, our GDPR approach assumed that our clients outside the EU/EEA may be in scope of the GDPR. We implemented the GDPR in a manner that allows us to support our clients outside the EU/EEA with their GDPR compliance requirements.
We will analyse the guidelines in detail and provide any feedback we may have to the EDPB through the Future of Privacy Forum. We also aim to share our analysis once the EDPB has issued their final version of the guidelines.