Exam CIPP-E topic 1 question 99 discussion

article 2.2.a states: This Regulation does not apply to the processing of personal data: in the course of an activity which falls outside the scope of Union law; D is the option that does not process personal data from EU members or is done by controllers of processors related to EU

D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company: The GDPR does not apply to this company because it is not processing personal data of individuals in the EU, nor does it have an establishment in the EU. The use of a cloud storage system made by a European company does not bring the North American company within the scope of the GDPR.

The best answer is clearly D. The problem with B is that it's unclear if that Australian company processes EU citizen data, but it probably has employees, and there must be a reason its HQ is in the EU. D is a clear-cut case.

D is the correct answer

D is the correct answer, For clarification, see Example 7 in the 2018 Guidelines on Territorial Scope of the GDPR: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf Specifically: If a controller does not target EU market, and does not have establishments in the EU, the GDPR does not apply to it. Although the GDPR does apply to the processor, and they need to fulfill any regulations regarding its processing activities, this question is about the controller and *not* the processor.

based on the information provided, option B is the most likely to be exempt from complying with the GDPR, as long as the company only stores customer data in Australia and is not established in the EU.