The "offering of goods or services to data subjects in the Union" is a key factor used to determine the applicability of the EU General Data Protection Regulation (GDPR) to controllers and processors not established in the EU.

Text of relevant provision

GDPR Article 3(2)(a) states:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

Original language: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

Analysis of provisions

This provision extends the GDPR's territorial scope to non-EU entities that offer goods or services to individuals in the EU. Several key aspects are worth noting:

1. It applies to "data subjects who are in the Union", regardless of their citizenship or residency status.
2. The offering can be of either goods or services, and does not require payment.
3. The processing must be "related to" the offering, implying a connection between the data processing and the targeting of EU individuals.

Recital 23 provides further guidance on determining whether a non-EU entity is offering goods or services to EU data subjects:

"Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

This indicates that merely having a website accessible in the EU is not enough. There must be clear intention to target EU individuals, as evidenced by factors like language, currency, or explicit mentions of EU customers.

Implications

This factor significantly extends the GDPR's reach to non-EU businesses targeting the EU market. Key implications include:

1. Global scope: Companies worldwide must consider GDPR compliance if they offer goods or services to EU individuals, even without a physical EU presence.
2. Online businesses: E-commerce sites, SaaS providers, and other online services must carefully assess whether they are "targeting" EU customers.
3. Intentionality matters: Passive availability is not enough; there must be clear intention to offer goods/services to EU individuals.
4. Case-by-case analysis: Determining applicability requires examining specific factors like language, currency, and marketing practices.
5. Compliance burden: Non-EU entities falling under this provision must fully comply with GDPR, including appointing an EU representative in most cases.

Examples:

• A US-based online retailer that offers shipping to EU countries and displays prices in euros would likely be subject to GDPR.
• A Chinese mobile app available globally but not specifically marketed to EU users and only displaying prices in yuan might not be subject to GDPR under this provision.