For non-European organizations, it’s easy to dismiss the idea that the GDPR may apply to them, but the reality is far from that simple. In the online economy, businesses have easier access than ever to international markets, but with that access comes accountability to the laws that govern those markets. In fact, maintaining accountability as data flows across borders and between companies is one of the GDPR’s primary concerns.
Here are the factors that come into play when determining whether the GDPR applies to you.
Some data privacy laws, like the California Consumer Privacy Act, only apply to for-profit businesses; the GDPR makes no such distinction. It can apply to individuals, businesses, governments, nonprofits, and anyone else that processes personal data outside of a purely household or personal context. We use the broad term “organizations” to cover all these different types of entities.
Any organization that “processes” personal data (i.e., handles it in any way, from storing to transferring to analyzing), including the data of its employees, can fall under the GDPR.
In most cases, the GDPR applies in one of two ways. First, it applies to organizations that are “established” in a country that has adopted the GDPR. These countries include the entire European Economic Area (all EU member nations plus Norway, Lichtenstein, and Iceland) and the United Kingdom (collectively, “EEA/UK”). Second, it applies to organizations that are not established in the EEA/UK but offer their goods or services there.
If an organization is established within the EEA/UK, the GDPR applies to all of their data-processing activities regardless of where its data subjects (the people whose data is being processed) are located. For example, if an online business is based in Ireland, it must follow GDPR rules with respect to all of its customers and website visitors even if they are located outside of the EEA/UK.
“Establishment” in the EEA/UK means “the effective and real exercise of activity through stable arrangements” in that territory. Typically, this means a permanent, physical presence of some kind, such as having a headquarters, branch, or subsidiary located there.
For organizations that have their primary establishment elsewhere and a secondary establishment in the EEA/UK, the GDPR may only apply to data-processing performed by that secondary establishment, but the line can be a bit murky. For example, if a U.S. company has a branch office in Ireland, theoretically only the Irish branch office has to follow the GDPR (assuming the rest of the organization does not offer goods or services within the EEA/UK), but in reality the data collected by the branch office tends be shared throughout the company
The second way an organization can be required to comply with the GDPR is when it is not established in the EEA/UK but does offer its goods or services there. Such an organization is only required to comply with the GDPR with regard to its processing of personal data of European data subjects.
There is no hard rule about what it means to “offer goods or services” in the EEA/UK, but it does require a degree of intention beyond just having a website that is visible to people in Europe. A number of factors may be considered, such as the posting of prices in the local currency, translating content into other European languages, and offering shipping options to the EEA/UK.
Example: An ecommerce business is based in the United States, but also has an Italian-language version of its website where it displays prices in euros. That business is offering its goods to data subjects within the EEA/UK, and will have to comply with the GDPR with regard to any personal data it collects about European data subjects.
Some organizations that provide B2B services, even if they are not required to be “in compliance” with the GDPR, may still be affected by it and have to follow many of its rules. The reason for this is that their GDPR-compliant business customers can only share personal data with the organization if it abides by specific privacy rules.
The two main types of actors in the GDPR’s legal framework are “controllers” and “processors.” With respect to any specific personal data, the controller is the one who “determines the purposes and means” of its processing (i.e., they are in charge of it). The controller may hire a processor to process personal data on its behalf. For example, if a retailer uses an email vendor to send out promotions to its customers, the retailer is the controller of the email addresses and the vendor is the processor.
A GDPR-compliant controller may only disclose personal data to a processor if the two parties have a written contract that requires the processor to adhere to certain privacy safeguards. These safeguards include only processing personal data according to the controller’s instructions, having confidentiality agreements for all personnel who will access the data, and not sharing the data with any sub-processors without a similar agreement in place. The contract requirement is most often met by including a data protection agreement (DPA) as part of the processor’s master service agreement.
This means that a processor that wouldn’t otherwise have to be GDPR compliant will still have to meet some privacy requirements if it wants to do business with GDPR-compliant organizations. Offering a boilerplate DPA may not be enough. First, it needs to make sure it is actually implementing all of the required privacy safeguards. Second, it will need to determine whether it is disclosing any of the personal data to other parties, and have a DPA in place with them as well.
GDPR compliance is complicated, and for many organizations it can seem out of reach. Without the resources to become compliant, they are faced with a choice to either abandon the European market or roll the dice on being targeted for enforcement.
TrueVault Polaris helps organizations avoid this difficult decision by making it simple and affordable for them to become GDPR compliant. In as little as a few hours, our guided software takes you step-by-step through the entire process. Our customers also have the necessary tools, such as privacy-request workflows, cookie consent banners, and advertising opt-outs, to stay compliant with minimal effort. Contact our team to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.