The General Data Protection Regulation (GDPR) is the main regulation in the European Union that dictates how organizations process EU citizens’ personal data.
However, to who does the GDPR apply? Does it affect all businesses in the EU, and do businesses outside the EU need to comply?
Does GDPR apply to both the EU and EEA?
The GDPR applies to all Member States of the European Union (EU) and countries in the European Economic Area (EEA).
What is specific to the GDPR is its extraterritorial effect, which means it protects the personal data of EU citizens and residents and applies to all organizations that process such data, whether they are EU-based organizations or not.
Does your company need to comply with the GDPR?
Your company needs to comply with the GDPR if it falls into one of the two categories:
- Your company is based in the EU that process personal information of EU citizens and residents
- Your company is not based in the EU but offers products or services to EU citizens or residents or monitors their behavior
What does it mean to offer goods and services to EU citizens?
1. OFFERING GOODS AND SERVICES TO THE EU CITIZENS
Even if you are not conducting any commercial activity, the intention alone will be interpreted as an offer of goods and services to EU citizens.
For example, if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or you have a website on the language of one of the member states, or ship goods to the EU, it is interpreted as offering goods and services to the EU citizens.
2. MONITORING THE BEHAVIOR OF THE EU CITIZENS
Monitoring the behavior of EU citizens sounds ominous, but it is really simple, and it is highly likely that you might be falling into this category.
Does the GDPR apply to an individual?
The GDPR does not apply to a natural person in terms of conducting a ‘personal or domestic’ activity, as it is discussed in Recital 18:
“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
Personal or household activities could include correspondence, the holding of addresses, or social networking and online activity within the context of such activities.
However, GDPR applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Does the GDPR apply outside the European Union?
YES….under certain circumstances.
The GDPR protects the data of its citizens and residents, even if it is transferred outside the EU zone, which means that the GDPR applies to all organizations EU and non-EU, that process the personal information of European citizens.
An example of that would be a company from China that collects data from EU citizens.
The same legal obligations apply to the company, as though it has its headquarters in the EU, although it doesn’t even need to have any offices in the territory of any EU country.
Meaning if they offer goods or services to EU citizens or monitor the behavior of individuals within the EU, they will have to comply with the GDPR.
Supervisory authority monitors and enforces the application of the GDPR. Although the Supervisory authority has limited enforcement powers against overseas entities without representatives based in the EU, it might seek to coordinate with foreign regulators in taking enforcement action.
Are you accountable as a Data Processor?
Maybe you are not gonna like this, but- YES!
In fact, we have mentioned the GDPR fine issued to the data processor way back, and we can expect this is not the first and last fine issued to the data processor. The fine was issued for a breach of Article 32 amount of €50,000.
In order to understand your obligations better, you have to determine whether you are a data controller or a data processor.
Note that in certain situations, you are going to be a data processor, and in certain situations, you are going to be a data controller. It will depend on the circumstances.
The most important question to ask yourself is: Do you determine the purpose of the processing, or are you just an executor?
However, both controllers and processors should implement appropriate security measures.
The GDPR places legal obligations on data processors to maintain records of personal data and how it’s processed. Controllers need to ensure to have contracts with processors and make sure they comply with GDPR.
3 questions to find out if the GDPR applies to you
1. Do you process EU residents’ personal data?
If you process EU residents’ personal data, then GDPR applies to you. It doesn’t matter if an individual resides outside of an EU state. GDPR is there to safeguard the personal data of all EU citizens, so even in that case, GDPR applies to you.
2. What does it mean if your company hires less than 250 employees?
Organizations need to comply with the GDPR even if they hire less than 250 employees. It means that many small and medium-sized enterprises (SMEs) that process personal data of individuals in the European Union or sell goods or services to the EU are obligated to comply.
3. Do you engage in economic activity?
The Regulation does not apply to the processing of personal data of EU citizens if it is exclusive to purely personal or household activities.
What are the penalties for non-compliance?
The General Data Protection Regulation recognizes two levels of fines for less severe and very severe violations.
Non-compliance may result in administrative fines of up to €20 million or up to 4 % of the total worldwide annual turnover of the previous financial year, whichever is higher.
Now that you have a better insight into who EU GDPR applies to, you can take step-by-step actions to achieve compliance and become, but also remain, an organization that takes care of its customers’ data.
If you’ve realized that the GDPR applies to your organization, check out our solutions for GDPR-related issues.