Mark Pestronk
Mark Pestronk

Q: A consultant has advised me that our agency is not in compliance with the EU's General Data Protection Regulation (GDPR), which went into effect on May 25. We are scrambling to revise our data-security practices and our privacy policy, but, frankly, I am still wondering whether the GDPR even applies to our business at all. In your March 26 Legal Briefs column ("Sorting out the intricacies of the EU's new data-protection rules"), you covered this issue, but could you be more specific? What if we have a general email list with EU residents' names on them? What if we arrange meetings and incentives in the EU with EU participants? What if we have an EU-based corporate account? One more question: If the GDPR doesn't apply to our agency, why would a corporate account require us to sign a Data Processing Addendum (DPA) stating that we must follow the GDPR?

A: Let's start with the exact words of the GDPR's section dealing with companies not based in the EU: "This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behavior as far as their behavior takes place within the Union."

With respect to the first criterion, the key word is "offering." The drafters of the GDPR and the EU legal experts agree that it means more than merely "soliciting" or "advertising," which is how we in the U.S. would understand the term.

According to an official clarification issued by the EU, the mere accessibility of your website in the EU, merely sending emails to EU residents or the use of a language that is used in your country as well as parts of the EU (i.e., English) are insufficient to constitute "offering."

On the other hand, use of an EU language or currency other than your own, the ability to place orders in that language, EU telephone numbers and references to EU endorsers will tend to be seen as "offering" services to EU residents.

So, in your case, sending the same emails to everyone on your list would clearly not constitute "offering" to EU residents. Taking names and personal data from EU meetings participants would likewise not constitute "offering" services to EU residents.

Because "offering" really means specifically targeting, I am certain that the vast majority of U.S. agencies with some EU clients are not subject to the GDPR.

The GDPR is not a business-to-business regulation, so it does not apply to offering your services to corporations based in the EU or to offers to U.S. clients' subsidiaries in the EU. However, under both the GDPR and prior EU laws, EU companies cannot send personal data to non-EU companies unless the companies enter into a DPA to your travel management agreement.

With respect to the second criterion (monitoring EU residents' behavior), the official clarifications illustrate that the EU means more than merely looking at how people behave. Rather, the term means online tracking of EU residents on other websites in order to predict personal preferences and attitudes for marketing.

So if your agency has the ability to tailor its email offers for safaris to people who researched safaris online at other websites, you are engaging in behavior monitoring within the meaning of the GDPR. If you are just using GPS to follow your agency's tour guide around Europe, you are monitoring behavior but not doing so in order to predict his personal preferences.
JDS Travel News JDS Viewpoints JDS Africa/MI