Most websites have multi-state reach. If you as a website or app owner target data subjects of a particular EU member state, then you must provide your Privacy Policy in the language of the Member State you target, according to the WP29 in point 15 of its Guidelines on transparency (endorsed by the EDPB).
The reason is that for an end user to understand the meaning of words a website owner uses in a Privacy Policy, the website owner must use a country specific language that the end user understands to enable the end user to perceive the meaning of the Privacy Policy content.
In this blogpost we ask when do you as a website or app owner target or not target end-users in a particular EU member state?
“Targeting” in the GDPR
Targeting is not defined in the GDPR.
The GDPR uses a somewhat similar concept in a few of its Articles and Recitals regarding:
- the territorial scope of the GDPR
- Article 3.2(a) by the expression “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”.
- the conditions applicable to a child's consent
- Article 8.1 by the expression “offer of information society services directly to a child”.
- the competence of the supervisory authority
- Recital 122 of the GDPR says, that a supervisory authority can exercise the powers and task conferred on it with the GDPR if processing is
“affecting data subjects on its territory or processing (is) carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory.”
- Recital 122 of the GDPR says, that a supervisory authority can exercise the powers and task conferred on it with the GDPR if processing is
What does “targeting” by directing mean?
Measuring whether a website targets end-users in a particular EU member state is an assessment of elements that
- on the one hand, positively permits and accepts a relationship in the sphere of a particular state, and,
- on the other hand, negatively prohibits and rejects a relationship in the sphere of a particular state.
Recital 23 of the GDPR may here offer some guidance regarding the similar concept used in GDPR Article 3.2(a) by the expression “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”
Recital 23 of the GDPR says that
"(i)n order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
Along the similar rationale, one may say that in order to determine whether a website is offering goods or services to end users in a particular member State, it should be ascertained whether it is apparent that the website owner envisages offering services to end users in a particular member State.
Which factors suffice to ascertain such intention?
Let’s look at some factors.
Domain
Should the domain level of the website (.com, .org, etc vs .no, .de etc) be a relevant factor to determine whether it is apparent that the website targets end users of a particular State?
Knowledge of website accessibility
End users in State B know of the website and know that they are allowed access to the website content.
The fact that end users in State B know they have website access is not in itself sufficient to constitute targeting of end users in State B.
Recital 23 of the GDPR may here offer some guidance regarding the similar concept used in GDPR Article 3.2(a) by the expression “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”
Recital 23 of the GDPR says that
"(w)hereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details (...) is insufficient to ascertain such intention (...)”
Website access denied/accepted
Access denied: End users in State A that interact with the website are denied access to the website content.
The website does not target end users in State A.
Access allowed: End users in State B that interact with the website are allowed access to the website content.
Actual website access for end users in State B is not in itself sufficient to constitute targeting of end users in State B.
Geo-blocking: Note that Regulation (EU) 2018/302 of the European Parliament and of the Council of 28 February 2018 prohibits unjustified geo-blocking.
Legal notices: Legal notices may signal permission or prohibition for end users from particular member States to interact with the website.
Invitation
End users in State B that interact with the website have been invited to access and interact with the website content.
For example, the end user has received a personalised email with invitation to visit the website or has on a news site been targeted with an add with a link to the website.
Contracting denied
End users in State A that interact with the website are denied to enter into contract with the website.
This may indicate that the website does not target end users in State A.
Contracting allowed
End users in State B that interact with the website are allowed to enter into a contract with the website.
Is the entry into contract with end users in state B alone sufficient to constitute targeting of end users in state B?
Is the existence of a contract only an indication that the website targeted end users in state B?
Language, currency, offering of goods or services, mentioning of customers
Recital 23 of the GDPR may offer some guidance regarding the similar concept used in GDPR Article 3.2(a) by the expression “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”
Recital 23 of the GDPR says that
"(...) the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.**”
Along the similar rationale, one may say that it is plausible to use the same factors to ascertain whether it is apparent that the website targets end users of a particular State.
Other factors
- Geographically limited credit cards
- mention of telephone numbers with an international code
- mention of itineraries from other Member States for going to the place where the trader is established
- want to add factors? send me a message !
En garde ! Do you target end users in multiple States?
Signatu enables data controllers to generate and tailor make and deliver to data subjects Privacy Policies in multiple country specific languages that meet the information requirements listed in GDPR Article 13 and 14.
Reach out to us
If you have an interest in Signatu Privacy Policy, please send us an email to hello@signatu.com.