Gdpr Law: Who Does It Affect?

who does the gdpr law apply to

The EU's General Data Protection Regulation (GDPR) applies to any company or entity that processes personal data as part of its business activities and is established in the EU. It also applies to companies based outside of the EU that offer goods or services to individuals in the EU or monitor their behaviour.

The GDPR defines 'personal data' as any information that can identify an individual, including IP addresses and cookie data.

The regulation does not apply to people processing personal data for personal or household activities, such as keeping personal contacts' information on a computer or using CCTV cameras to protect your home.

Characteristics Values
Company location The GDPR applies to companies inside and outside the EU.
Company size There is no size or revenue threshold.
Nature of data processing The company must be a data controller or data processor.
Nature of economic activity The company must be engaged in economic activity.
Target audience The company must target EU residents.
Nature of goods/services The company must provide goods/services to EU residents.
Nature of data subjects The company must process the personal data of EU residents.

lawshun

Companies offering goods/services to EU citizens

The General Data Protection Regulation (GDPR) applies to companies offering goods or services to EU citizens, regardless of whether the company is based in the EU or not. This includes companies that are monitoring the behaviour of individuals in the EU.

For example, if a US-based clothing store's website ships orders to several major European cities, like Paris and Berlin, and monitors the behaviour of data subjects in those regions, it falls under the purview of the GDPR.

The GDPR does not impose a size or revenue threshold on companies. A US-based company of any size may qualify as a data controller under the GDPR. A data controller is an entity that decides why and how personal information is used.

Alternatively, companies in the US can qualify as a data processor, which is defined as an entity that processes personal data on behalf of the controller. Data processing refers to the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available sets of personal data.

If a company is unsure whether it needs to comply with the GDPR, it is essential to seek clarification from the ICO to avoid potentially heavy fines.

lawshun

Companies monitoring behaviour of individuals in the EU

The General Data Protection Regulation (GDPR) applies to companies monitoring the behaviour of individuals in the EU, even if the company is established outside the EU. This is distinct from offering goods or services to individuals in the EU, which is also covered by the regulation.

The text from Article 3 of the regulation is:

> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

>

> a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

>

> b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 3 is about the scope of the regulation. This particular question is clarified by Recital 24 (emphasis added):

> The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

The "currently in the EU" bit is significant: the GDPR doesn't apply if a company collects data about the activities of an EU citizen who happens to be currently in a non-EU country, but it does apply to a non-EU citizen who is visiting the EU. The term "behaviour" is used to distinguish data about what someone is currently doing from static data such as date and place of birth (which is presumably much more tied to nationality than current location).

The more employee monitoring resembles surveillance – with its systematic, continuous, and detailed tracking of employees' activities, behaviours, or communications – the greater the potential for infringement of both privacy and data protection rights. Although the GDPR provides safeguards to protect employees' privacy and data protection rights, regulatory challenges remain. Compliance with the GDPR principles of data minimisation and transparency is difficult given digital technologies collect and process large amounts of data and their inner workings often lack transparency.

The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.

lawshun

US companies processing personal data of EU citizens

The General Data Protection Regulation (GDPR) applies to US companies that process the personal data of EU citizens, even if the company is established outside the EU. This is because the GDPR is extraterritorial in scope, meaning it is designed to protect the rights of data subjects, rather than regulate businesses. A "data subject" is any person in the EU, including citizens, residents, and visitors.

Therefore, if a US company collects any personal data of people in the EU, they are required to comply with the GDPR. This could be in the form of email addresses in a marketing list or the IP addresses of those who visit a company website.

The GDPR applies to US companies in three cases:

If the US company has an "establishment" in the EU

This means the company is engaged in the processing of personal data in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not. An establishment implies the effective and real exercise of activity through stable arrangements.

If the US company offers goods or services in the EU

The GDPR applies to businesses not established in the EU if they process the personal data of individuals who are in the EU when offering them goods or services, whether in return for payment or not. This applies to the processing of personal data of any "data subjects who are in the Union", regardless of their nationality or residence.

If the US company monitors the behaviour of individuals in the EU

Businesses that are not established in the EU, and that do not offer goods or services in the EU, will still be subject to the GDPR if they process personal data in connection with the "monitoring" of the behaviour of EU data subjects. Monitoring appears to be focused on internet activity that includes tracking an individual on the internet and using data processing techniques to profile such individuals to analyse or predict personal preferences, behaviour and attitudes.

lawshun

EU companies processing personal data of non-EU citizens

The General Data Protection Regulation (GDPR) applies to EU companies processing the personal data of non-EU citizens in certain circumstances.

The GDPR applies to EU-based organisations that process personal data of individuals in the EU. It also applies to organisations outside the EU that target people living in the EU. This is known as the "extra-territorial effect".

The GDPR applies to organisations established outside the EU if they process the personal data of EU residents when offering them goods or services, or monitoring their behaviour as far as their behaviour takes place within the EU.

For example, a US company that gathers data from EU citizens. The legal obligation applies to the organisation as if it has its head office in the EU, even if it doesn't have any physical offices within the borders of any European Union country. This means that if the company offers services or goods to EU citizens or tracks the behaviour of consumers within the EU, it must comply with the GDPR.

However, the GDPR does not apply to non-EU citizens living outside the EU. The regulation is only concerned with the location of the data subject and not their citizenship status. If an EU citizen is outside the EU, they are subject to the laws of the country they are in.

lawshun

Companies with250 employees

The General Data Protection Regulation (GDPR) applies to all companies that process personal data relating to data subjects in the European Union (EU), regardless of their size or location. This means that companies with 250 employees or fewer are still subject to the rules of GDPR, and must comply with the majority of the law's requirements.

There are, however, some exceptions for smaller organisations. For example, companies with fewer than 250 employees are exempt from maintaining records of their processing activities under Article 30 of the GDPR. This exemption applies when processing is occasional and is not likely to result in a risk to the rights and freedoms of data subjects, or when processing does not include special categories of personal data or criminal data.

Similarly, SMEs with fewer than 250 employees are not required to appoint a Data Protection Officer (DPO) unless they are engaged in the large-scale processing of personal data as their main business activity, and it poses a specific threat to individuals' rights and freedoms. This includes activities such as monitoring individuals or processing sensitive data or criminal records.

While there are some exemptions for smaller companies, it is important to note that the GDPR does not have a small business carve-out. Therefore, companies with 250 employees or fewer will still need to comply with most of the law's requirements. They will need to find a lawful basis for processing personal data, obtain informed consent from users, provide transparency about their data collection and usage, and fulfill data subject access requests.

To summarise, while there are some exemptions for companies with 250 employees or fewer, the GDPR still applies to these organisations and they must take steps to ensure compliance with the majority of the regulation's requirements.

Frequently asked questions

Yes, the GDPR applies to companies outside the EU if they offer goods or services to EU residents or monitor the behaviour of individuals in the EU.

The GDPR applies to US citizens who are in the EU.

No, the GDPR does not apply to EU citizens living in the US.

Yes, the GDPR applies to US government agencies and other public-sector organisations. However, they are exempt from complying with specific provisions if the data processing is for reasons beneficial to the public interest.

Yes, the GDPR applies to small businesses. However, organisations with fewer than 250 employees are exempt from maintaining a record of processing activities unless their processing activities are likely to result in a risk to the rights and freedoms of data subjects.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment