The "Location of Individual who Processes Data" factor is used to determine the applicability of data protection laws by extending their reach to individuals who are physically present within a jurisdiction, even if they are not ordinarily resident there. This factor ensures that the processing of personal data within the territory, regardless of where the data subject is located, is subject to local data protection regulations.

Provision Examples:

Privacy Act 2020 Art.4(1)(c)(i) (New Zealand):

"(1)  This Act (except section 212) applies to—(c)  an individual (C) who is not ordinarily resident in New Zealand, in relation to any action taken by C in respect of (i)  personal information collected by C while present in New Zealand, regardless of where the information is subsequently held by C or where the individual to whom the information relates is, or was, located."

Privacy Act 2020 Art.4(1)(c)(ii) (New Zealand):

"(1)  This Act (except section 212) applies to—(c)  an individual (C) who is not ordinarily resident in New Zealand, in relation to any action taken by C in respect of (ii)  personal information held by C while present in New Zealand (but not collected by C while present in New Zealand), regardless of where the individual to whom the information relates is, or was, located."

Federal PDPL Art.2(1)(a) (UAE Mainland):

"1. The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by: (a. any Data Subject who resides or has a place of business in the State."

Description

The "Location of Individual who Processes Data" factor is designed to bring the data processing activities of individuals who are temporarily within a jurisdiction under the purview of local data protection laws, even if these individuals are not permanent residents. This approach is particularly relevant in a globalized world where individuals may travel frequently or temporarily reside in different jurisdictions while processing personal data.

For instance, New Zealand's Privacy Act 2020 explicitly extends its application to individuals who are not ordinarily resident in the country but who collect or hold personal data while present in New Zealand. As outlined in Privacy Act 2020 Art.4(1)(c)(i), the law applies to personal data collected by such individuals during their stay in New Zealand, regardless of where the data is stored afterward or where the data subject is located. This provision ensures that data protection standards are maintained even when the data processor is only temporarily in the country.

Similarly, Privacy Act 2020 Art.4(1)(c)(ii) applies the law to personal information held by individuals while they are in New Zealand, even if the data was not collected there. This provision extends the reach of New Zealand’s data protection law to cover situations where data processors may bring data into the country and process it locally, thereby ensuring that such activities are subject to local regulations.

The UAE’s Federal PDPL takes a slightly different approach by applying the law to any data subject who resides or has a place of business in the state, as seen in Federal PDPL Art.2(1)(a). This broadens the scope to include both residents and individuals with business operations in the UAE, ensuring that their data processing activities are covered by the local law regardless of their usual residence.

The commonality across these provisions is the focus on the physical presence of the data processor within the jurisdiction, regardless of their residency status or the location of the data subject. This reflects an understanding that the physical location of data processing can have significant implications for data protection and privacy.

Implications

The "Location of Individual who Processes Data" factor can significantly extend the applicability of data protection laws, making them relevant to individuals who might not ordinarily be subject to the jurisdiction's laws. For businesses, this means that data processing activities conducted by employees, contractors, or third-party service providers who are temporarily within a jurisdiction could bring those activities under local data protection regulations.

For example, a multinational company with employees traveling to New Zealand would need to ensure that any personal data these employees collect or process while in New Zealand complies with the local Privacy Act, even if the data is stored or processed elsewhere afterward. Similarly, a business with operations in the UAE must be aware that the Federal PDPL applies to all data processing activities conducted by individuals residing or having a place of business in the UAE.

This factor creates a need for companies to implement compliance measures that account for the physical location of data processors, particularly in cases where employees or contractors might travel across borders. It also underscores the importance of understanding local data protection laws in every jurisdiction where data processing might occur, even temporarily.