According to guidance from the European Data Protection Board, in which of the following cases would a controller established outside of the EU not be subject to the GDPR?
According to guidance from the European Data Protection Board, in which of the following cases would a controller established outside of the EU not be subject to the GDPR?
A controller established outside of the EU is not subject to the GDPR if it uses the services of an EU-based processor without offering goods or services to persons on EU territory or monitoring their behavior. The key criteria for the applicability of the GDPR to a controller outside the EU are whether it is offering goods or services to individuals in the EU or monitoring their behavior within the EU. Simply using an EU-based processor does not trigger the GDPR's applicability if these criteria are not met.
Switzerland is not part of the EU so behavior monitoring of people in Switzerland may only violate local Swiss law but not GDPR