Despite the GDPR being in place since the 25th May 2018, a number of organisations are still unclear as to whether the regulation applies to them. In this article, we explore who really needs the GDPR, i.e., who needs to be GDPR compliant.
GDPR – Does it apply to us?
Let’s start with the General Data Protection Regulation. As you may be aware, the regulation is divided into a series of recitals and articles. The earlier articles (General Provisions and Principles) are useful as a reference guide, but we are going to focus on Articles 2 and 3.
Article 2 – Material scope. Looking at Article 2 – Material scope, this states the following: “1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.“
This means that any computerised processing of personal data, or paper-based data that is organised into any form of an ordered system – alphabetically or by customer size, market type, etc., will fall into the scope of the regulation.
Now let’s look at Paragraph 2, which states where the regulation does not apply (for the sake of brevity, I’ve omitted B and D, which are typically only applicable for member states or government departments): ‘’A) in the course of an activity which falls outside the scope of Union law; C) by a natural person in the course of a purely personal or household activity.”
However, there are edge cases that are unclear and yet to be tested in national courts. One example would be an individual running a gaming forum where they collect personal data of members; in this instance, depending on the number of members, it would likely be exempt. Once the organiser started monetising the forum via advertisements, etc., it would then likely fall into scope. Review the following table for examples of instances where processing activities likely fall in or out of scope.
Article 3 – Territorial scope. Looking at Article 3 – Territorial scope, this article states the following: “1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
This translates to, organisations based in the EU will fall under the scope of the GDPR regardless of whether the processing takes place in the EU or not; therefore, using cloud services to process the data outside of the EU won’t exempt those activities.
Furthermore, if an organisation/individual is subject to EU law, then all personal data falls within the GDPR scope – not just that of EU data subjects. As an example, an organisation based in an EU country, which is processing the personal data of U.S.-based data subjects, must apply the same controls (when processing U.S. data) as if they were EU-based citizens.
Article 3 paragraph 2 also states:“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Reading the above, it should be apparent that controllers and processors that process the data of EU data subjects will be subject to the GDPR. However, the formal definition of EU data subjects refers to their physical location at that moment of the processing (in the EU), regardless of nationality or legal status (as per clarification from the European Data Protection Board 16th November 2018). Therefore, the GDPR would apply equally to non-EU residents while they travel through the EU (on holiday, flights, etc.).
Also, if you primarily target non-EU-based clients or customers (and are based outside of the EU), you will likely be exempt from the GDPR. This can be demonstrated in the following way:
- GDPR is not applicable: A U.S.-based organisation with employees only in the U.S., though some of these employees are EU citizens, will NOT be subject to the GDPR.
- GDPR is applicable: Conversely, a U.S.-based organisation with employees in the EU will fall into scope even if the EU-based employees are only U.S. citizens.
A startup established in the United States, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurants, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The U.S. startup, via its city-mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data, in connection with the offering of the service, falls within the scope of the GDPR as per Article 3(2).
A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist’s personal data via the app by the U.S. company is not subject to the GDPR.
What if you are a U.S. company providing software-as-a-service, and most of your individual customers come from the U.S., but some are from the EU – do you need to be GDPR compliant?
The mere accessibility of your SaaS solution to individuals in the Union or use of the languages of one of the Member States in the Union (i.e., English) should not by itself make you subject to the EU GDPR. Basically, if you are not targeting EU customers – which means you are not using the email addresses and contact details to deliver advertisements or to create profiles in order to deliver personalised advertisement to EU citizens – this would mean that the EU GDPR does not apply to you.
And, what if you are an Australian company that collects email addresses on your website – do you need to be GDPR compliant?
The mere accessibility of your Australian website by individuals in the Union or use of the languages of one of the Member States in the EU should not by itself make you subject to the GDPR. Moreover, just collecting email addresses via a website does not necessarily mean that a company needs to be compliant with the GDPR. However, if the email addresses are used to offer goods or services, or to monitor individuals in the EU, the GDPR would become applicable. To put it in other words, if you are using the email addresses to create email databases for marketing purposes, then the GDPR would apply to you.
Learn more about the roles of controller and processor in the article EU GDPR controller vs. processor – What are the differences?
To comply or not to comply – that is the strategic question. If you decide to comply, but you didn’t have to, this will prove to be costly; but, if you decide not to comply when the GDPR is applicable to you, it could prove even more costly. So choose wisely.
To learn about the other basics of GDPR compliance, see this free online training: EU GDPR Foundations Course.