Who Does The EU GDPR Apply To

The General Data Protection Regulation (GDPR) became effective on May 25, 2018. It is the main Regulation in the European Union that dictates how organizations process EU citizens’ personal data.

However, does it affect all businesses in the EU, and do businesses outside the EU need to comply?

Does your company need to comply with the GDPR?

Your company needs to comply with the GDPR if it falls into one of the two categories:

1. You are a company based in the EU that process personal information of EU citizens and residents
2. Your company is not based in the EU, but offers products or services to EU residents or monitor the behavior of EU residents

Does the GDPR apply outside the European Union?

In short- YES….under certain circumstances.

When does the GDPR apply outside the Europe

Even though the EU Parliament proposed it, GDPR protects the data of its citizens and residents, even if it is transferred outside the EU zone. This characteristic is called extraterritoriality. This means that the GDPR applies to all organizations EU and non-EU, that process personal information of European citizens.

Get 14-days Free Data Privacy Manager Trial

An example of that would be a company from China which collects data from EU citizens. The same legal obligations apply to the company, as though it has its headquarters in the EU, although it doesn’t even need to have any offices in the territory of any EU country.

Meaning, if they offer goods or services to EU citizens or monitor the behavior of individuals within the EU they will have to comply with the GDPR:

1.OFFERING GOODS AND SERVICES TO THE EU CITIZENS

Take note that if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or you have a website in the language of one of the member states, or ship goods to EU, it is interpreted as offering goods and services to the EU citizens.

2. MONITORING THE BEHAVIOR OF THE EU CITIZENS

Monitoring the behavior of EU citizens sounds ominous, but it is really simple, and it is highly likely that you might be falling into this category. If your company uses cookies or tracks the IP addresses of your website visitors from EU countries, the GDPR will apply to your business as well.

This is further explained in Article 3 of the GDPR that clarifies the territorial scope:
european union flag, who des the gdpr apply to
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; b) or the monitoring of their behavior as far as their behavior takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

GDPR compliance for companies based in the EU

If you are an organization operating on the territory of the EU which processes personal data of the EU citizens and residents it is safe to say that you MUST comply.

However, there were different strategies for companies with a European presence:

1. Manage your processes so that you comply with GDPR for all your customers
2. Somehow identify EU from non-EU customers, or make a distinction between those within and outside the EU territory so that there are different practices for each segment.

However, let’s face it, separating your database is highly complicated, unattainable and can seriously perplex your marketing strategy.

We talked about this in our GDPR marketing guide. Not to mention that either way you have to be compliant in at least one segment that concerns EU citizens. So the best practice is to comply with the GDPR for your entire customer database.

Recital 14 of the EU GDPR states:

“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, concerning the processing of the personal data.”

Are you accountable as a Data Processor?

Maybe you are not gonna like this but- YES!

In fact, we have mentioned the GDPR fine issued to the data processor way back, and we can expect this is not the first and last fine issued to the data processor. The fine was issued for a breach of Article 32 of the GDPR in the amount of €50,000.

In order to understand your obligations better, firstly you have to determine whether you are a data controller or a data processor.

Note that in certain situations you are going to be a data processor and in certain situations, you are going to be a data controller. It will depend on the circumstances.

The most important question to ask yourself is: Do you determine the purpose of the processing, or are you just an executor?

There is a distinct line between the data processor and the data controller.data controller vs. data processorData controller“ means the natural or legal person, public authority, agency or other institution which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

Data processor” means a natural or legal person, public authority, agency or other institution which processes personal data on behalf of the controller.”

Difference between Data Controller and Data Processor:
✅ Data Controller determines the purpose and the meaning of data processing, not the Data Processor
✅ Data Processor acts on Data Controller instructions, and although can make a certain decision about the way the processing will be done, he has limited control over data
✅ Data Processor has no reason to process that particular set of data on his own
✅ Data Processor and Data Controller have a different set of responsibilities

Both controllers and processors should implement appropriate security measures. The GDPR places legal obligations on data processors to maintain records of personal data and how it’s processed. Controllers need to ensure to have contracts with processors and make sure they comply with GDPR.

3 questions to find out if the GDPR applies to you

Here are more questions to ask yourselves to decide whether GDPR applies to you or not:

1. Do I process EU residents’ personal data?

If you process EU residents’ personal data, then GDPR applies to you. It doesn’t matter if an individual lives outside of an EU state, GDPR is there to safeguard the personal data of all EU citizens, so even in that case, GDPR applies to you.

2. What does it mean if my company hires less than 250 employees?

Organizations need to comply with the GDPR even if they hire less than 250 employees. It means that many small and medium-sized enterprises (SMEs) that process personal data of individuals in the European Union or sell goods or services to the EU are obligated to comply.

The Article 30 of GDPR requires controllers to maintain a record of processing activities (ROPA), and processors to maintain “a record of all categories of processing activities carried out on behalf of a controller”.

So if you hire less than 250 employees, it only means you may not be obligated to maintain a data Inventory or record of processing activities.

The exemption is when processing can result in a risk to the freedom, rights or if the processing is not occasional or an organization processes special categories of data or personal data about criminal convictions and offenses.

3. Do you engage in economic activity?

The Regulation does not apply to the processing of personal data of EU citizens if it is exclusive to purely personal or household activities.

What are the penalties for non-compliance?

Non-compliance may result in administrative fines up to €20 million or up to 4 % of the total worldwide annual turnover of the previous financial year, whichever is higher.

Article 83, paragraph 7 of the GDPR also states that “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.”

Keep in mind that any company that processes data of EU residents, regardless of the location, is subject to penalties.

Conclusion

Now that you have a better insight into who does EU GDPR apply to, you can take step-by-step actions to achieve compliance and become, but also remain, an organization that takes care of their customers’ data.

If you’ve realized that the GDPR applies to your organization, check out our solutions for GDPR-related issues.

If you are looking for a software to automate and operationalize your business to comply with the GDPR, you can request a demo or, if unsure of the scope of your GDPR challenges, request free consultations and we will help you find a possible solution!

data privacy manager demonstration

Disclaimer

This blog only provides a high-level overview of the topic, it is not legal advice and should not be taken so. There are different interpretations of the GDPR, and this is just one of them. Please contact your supervisory authority or legal experts for GDPR related advice.