GDPR, what is it all about?
The General Data Protection Regulation (GDPR) is an EU-wide regulation on how businesses and other organisations should deal with personal data. It is the most important data protection initiative for 20 years. It has important implications for any organisation that offers its services to EU citizens.
In order to give citizens control over how their data is used and to protect “the rights and freedoms of natural persons”, the Regulation sets out strict requirements for data processing procedures, transparency, documentation and user consent.
”Every organisation should keep a record of its personal data processing activities and keep track of them.”
The GDPR impacts most organisations around the globe that sell goods/ products to the EU and process data of EU residents and citizens. It applies to both data processors and data controllers, therefore, legally holds them liable in case of personal data breaches.
Who does the GDPR apply to?
Article 3.1 states that the GDPR applies to the organizations based in the European Union even if the data are being stored or used outside of the EU. Article 3.2 goes even further and applies the law to organizations that are not in the EU if the organization offers goods or services to people in the EU, or the organization monitors their online behaviour.
What does it mean to offer goods and services to EU citizens?
Offering goods and services to the EU citizens:
Even if you are not conducting any commercial activity, the intention alone will be interpreted as an offer of goods and services to EU citizens.
For example, if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or you have a website on the language of one of the member states, or ship goods to EU, it is interpreted as offering goods and services to the EU citizens.
Monitoring the behaviour of the EU citizens:
Monitoring the behaviour of EU citizens sounds ominous, but it is really simple, and it is highly likely that you might be falling into this category.
If your company uses cookies or tracks the IP addresses of your website visitors from EU countries, the GDPR will apply to your business as well.
What is the geographical scope of the GDPR?
”Under certain conditions, the GDPR applies to companies that are not in Europe.”
The territorial scope of the GDPR is determined in Article 3 of the law:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
The monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Does the GDPR apply to companies outside of the EU?
The European Union’s General Data Protection Regulation is peculiar in the fact that it applies to organizations that may have little to do with the EU. For example, you may be a US web development company based in Denver, Colorado, selling websites mainly to Colorado businesses. However, if you track and analyse EU visitors to your company’s website, then you may be subject to the provisions of the GDPR.
”Under certain conditions, the GDPR applies to companies that are not in Europe.”
The purpose of the European Union’s General Data Protection Regulation is to protect the data of EU citizens and residents. The law therefore applies to organisations that process this data, regardless of whether they are based in the EU or not – the so-called “extraterritorial effect”.
The responsibility for complying with the GDPR falls on the EU/UK data controller. Unless the processor itself offers goods or services (even free of charge) to data subjects in the EU/UK or monitors their behaviour with the EU/UK then the processor itself won’t be caught by the GDPR. However the offshore processor is likely to become subject to the GDPR indirectly via contract as the data controller will need to impose certain contractual obligations on the data processor under Article 28 GDPR and depending on the territory of the data processor the controller may also insist on additional contractual protections (for example EU-mandated model international data transfer clauses from 2010).