In order to establish if a company is subjected to the European Regulation on Privacy, it is necessary to know its establishments and its internal organization (art. 3).
GDPR states that the Regulation does apply to a company when it has:
- An establishment in the EU if the data processing concerns the activity developed in the establishment. In this case neither the nationality of the person concerned by the processing nor the offer in the EU of goods and services do matter; or
- An establishment out the EU which pursues an activity (for example of monitoring or of profiling) or an offer of goods and services in the EU, addressed to people being, even temporarily, in the EU. The nationality of the latter does not matter.
It is important to consider that, in accordance with the Regulation, with “establishment” is also intended the presence of a representative in the EU or the pursuing of some activities, as the tracking of consumers, in the EU (Google Spain C-131/12; Weltimmo C-230/14)
Having a website accessible in the EU or a server in the EU it not considered as an “establishment”.
The location of a server and of the structure which processes data (the so-called equipment) is irrelevant for the purpose of the application of the Regulation.