GDPR Table of contents Under certain conditions, the GDPR applies to companies that are not in Europe. In this article, we’ll explain when and how the GDPR applies outside the EU.The European Union’s General Data Protection Regulation is peculiar in the fact that it applies to organizations that may have little to do with the EU. For example, you may be a US web development company based in Denver, Colorado, selling websites mainly to Colorado businesses. But if you track and analyze EU visitors to your company’s website, then you may be subject to the provisions of the GDPR. Here we’ll take a detailed look at the geographical scope of the GDPR, including what the regulation actually says and how you might be affected. You shouldn’t take this as personal legal advice, of course. We recommend speaking with an attorney to determine whether the GDPR applies to your organization’s specific case. The GDPR in a nutshellThe GDPR is an EU data privacy law that went into effect May 25, 2018. It is designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection. Organizations that don’t comply will face heavy penalties of up to 4 percent of their global annual revenue or €20 million, whichever is higher. For an overview of the GDPR, check out our article “What is the GDPR?” And you can read the full text here. The GDPR does apply outside EuropeThe whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.” The GDPR spells out in Article 3 the territorial scope of the law:
Article 3.1 states that the GDPR applies to organizations that are based in the EU even if the data are being stored or used outside of the EU. Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior. (Article 3.3 refers to more unusual scenarios, such as in EU embassies.) When does the GDPR apply outside Europe?As we just mentioned, there are two scenarios in which a non-EU organization might have to comply with the GDPR. Let’s take a closer look at each of these. Offering goods or services The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU. To do so, they’ll look for things like whether, for example, a Canadian company created ads in German or included pricing in euros on its website. In other words, if your company is not in the EU but you cater to EU customers, then you should strive to be GDPR compliant. Monitoring their behavior If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data. Exceptions to the ruleThere are two important exceptions we should note here. First, the GDPR does not apply to “purely personal or household activity.” So if you’ve collected email addresses to organize a picnic with friends from work, rest assured you will not have to encrypt their contact info to comply with the GDPR (though you might want to anyway!). The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you’re collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you. The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5). ConclusionIf you’re pretty sure the GDPR applies to you, it’s a good idea to look over some of the articles and analysis on this website to familiarize yourself with the law. It’s also a good idea to peruse the text of the regulation itself. And if you have any specific questions, you’re welcome to post them in the comments. What data is excluded from GDPR?Instead, Articles 85 to 91 also cover situations (or derogations) where the GDPR may not apply such as in cases of:. Freedom of expression.. Freedom of information (including official documents). Personal data of employees.. Data for scientific research.. Churches and religious associations.. Which EU citizen data right is not included in the General Data Protection Regulation GDPR?It doesn't apply to the processing of personal data of deceased persons or of legal persons. The rules don't apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity.
Who does the GDPR not apply to?The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you're collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you. The second exception is for organizations with fewer than 250 employees.
What personal data is covered by GDPR?For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data. Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.
|