Who Does the GDPR Apply To? Understanding the Scope and Applicability of the Data Protection Law

The General Data Protection Regulation (GDPR) is a legal framework that governs how personal data of users in the region should be collected, processed, and transferred. This means that the GDPR applies to all companies regardless of location and industry, so long as they target users from the European Union (EU). In short, the regulation was enacted and approved by the European Parliament and Council of the European Union in 2018 to hold businesses responsible for how they handle personal information.

Traversing the complex and ever-evolving nature of the GDPR is no easy task. If your organization has any of these questions in mind — who does the GDPR apply to, what sort of actions will make a business fall within the GDPR scope, or whether your organization is even subject to GDPR — you’ve come to the right place. Read on to find out more about the territorial and geographical scope of the GDPR and determine whether your business falls under GDPR jurisdiction.

Who Is Required to Comply with GDPR?

The GDPR explicitly states that any entity collecting or processing personal data from EU residents must ensure compliance with the legislative framework. Its territorial reach is extensive, covering a wide range of organizations, including businesses, governmental agencies, non-profits, and even individuals who may process personal data during their work. Below we list some specific activities that can trigger GDPR applicability, independent of their physical location. 

Offering Goods or Services to EU Citizens

Thanks to the internet, geographic location is a non-issue when it comes to the GDPR. If your business is offering goods or services to EU citizens, you are required to comply with the regulation due to its extraterritorial scope. Let’s say your business sells clothes and you are physically based in the US. Though you may not have a store in the EU, you have customers buying your products from France or Germany. This means that you cater to EU residents, rendering it obligatory for your business to adhere to the GDPR requirements. 

Monitoring the Behavior of EU Residents

Utilizing web tools to track cookies or IP addresses of visitors from EU countries brings your organization within the scope of GDPR regulations. The interpretation and enforcement of this law are yet to be fully determined but a compelling example would be if your company were to create an application tailored for users within the EU region. Newly registered users are usually required to provide personal information such as their name, email address, and additional details, thereby implicating your responsibility for data collection. An instance where this regulation becomes ambiguous is if you have a restaurant that is located in the US. Most of your customers would likely be locals within the area but suppose people from the EU stumble upon your website while planning a trip there. Depending on the type of data you track, you could be held accountable.

Roles Defined Under GDPR

1. Data subject — This is the person whose data is processed such as your customers or site visitors.
2. Data controller — This is the person who decides why and how personal data is used. Only data controllers can collect personal data from data subjects. They choose the lawful basis for processing personal data, obtain consent from data subjects when necessary, and implement measures to protect the data. Only data controllers have the authority to collect personal data directly from data subjects.
3. Data processor — This could be a third-party service provider that uses, stores or transfers data in some way. While they do not have the same level of control over the purposes and means of data processing as data controllers, they are still required to comply with certain legal requirements. Data processors must follow the data controller's instructions when handling personal data, ensuring they work as directed. Any time a data processor becomes involved in collecting data, they become a data controller and all of the above responsibilities apply accordingly.

Geographical Scope of GDPR

The geographical scope refers to whether an organization is established within the EU. This includes companies that have a physical presence, are simply conducting operations, or are targeting EU citizens. 

Does GDPR Apply Outside of Europe?

Non-EU businesses still come under the GDPR if they process EU residents’ personal data while selling goods or services to them or tracking their online behavior regardless of where the company is actually based. This is known as the extraterritorial effect.

Specific Instances When GDPR Applies Internationally

The GDPR, while rooted in EU law, has an international reach. As mentioned above, any non-EU organization that offers goods or services to EU residents falls under the GDPR's purview if it processes personal data during these transactions. This implies that even online businesses must comply with GDPR regulations if they cater to EU customers. The same applies to companies based outside of the EU processing data of EU customers, like storing user data or tracking usage patterns. These actions would automatically necessitate GDPR compliance.

Even businesses operating in the US need to comply with the GDPR, either as data controllers or data processors. Ultimately, GDPR protects all EU residents despite being of EU nationality. Granted, the protection applies while they are browsing the internet within those territories.

Exceptions to GDPR Applicability: When the Regulation Does Not Apply

Recital 18 states that the regulation does not simply apply to “purely personal or household activity” but rather to organizations that are specifically conducting “purely professional or commercial activity”. For individuals, this is a green light to collect email addresses or a Google calendar invite, getting an online friend’s details without needing to encrypt their contact info just to comply with the GDPR. However, if you’re gathering personal information to crowdfund for a side hustle, then you might want to familiarize yourself with the GDPR.

Another exception worth mentioning is companies having a workforce size of 250 or less. These small and medium-sized enterprises (SMEs) aren’t completely exempt from GDPR compliance, but they are free from record-keeping obligations. These records delineate the foundation of your data-gathering efforts and encompass information regarding:

• the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
• the purposes of the processing;
• a description of the categories of data subjects and of the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• where possible, the envisaged time limits for erasure of the different categories of data;
• where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

The Consequences of Non-Compliance

In 2018, the international hotel chain Marriott faced reputational damage and was hit with an £18.4 million GDPR fine for failing to secure their customers’ personal data by the Information Commissioner's Office (ICO). This penalty is a result of a 2014 cyber attack on Starwood Hotels and Resorts Worldwide, where hackers breached approximately 339 million guest records, including seven million records concerning individuals in the UK. The breach went undiscovered until September 2018, after Marriott had just taken over the company.

Similarly, tech giant Google was fined $57 million by CNIL, the French data protection watchdog for “failing to acknowledge how its users’ data is processed”. According to CNIL, Google did not obtain user consent to process data for ad personalization and the collected consent wasn’t specific or unambiguous, both terms outlined by GDPR. This made it challenging for users to understand how their data will be used or processed.

Conclusion

In a nutshell, the GDPR's impact extends globally, affecting organizations regardless of their location. This regulation mandates strict standards for the processing of personal data and imposes significant responsibilities on organizations handling EU residents' data. Compliance with GDPR principles is crucial for safeguarding individuals' privacy rights and avoiding substantial fines and penalties. Whether you're a data controller determining processing activities or a data processor handling personal information on behalf of other parties, it is crucial to understand both the data protection law’s territorial and geographical reach to ensure data protection and regulatory compliance. 

FAQs

1. What types of organizations does GDPR cover?

The general rule of thumb is that any company operating in the EU or deals with EU citizens; data must be GDPR compliant, irrespective of the industry they operate in. 

2. Who does GDPR apply to in the US?

US companies are subject to GDPR if they offer goods or services to EU citizens, or if they collect, process, or monitor the personal data of individuals from the EU.

3. Is my small business affected by GDPR?

Non-EU companies are still affected by this data protection law even if they have fewer than 250 employees depending on whether or not they are collecting, processing, or transferring the data of EU users. The silver lining is that smaller businesses are exempt from “record-keeping obligations” according to the official GDPR website.

4. How do I determine if GDPR applies to my non-EU-based company?

Since GDPR does not apply to occasional instances, regulators will usually look for other clues to determine whether a business set out to offer goods and services to people in the EU – like if a non-EU-based SME has advertisements communicated using an EU language. Non-EU companies should carefully consider factors such as their target market, the location of their data subjects, and their processing activities to determine their obligations under the GDPR. 

5. Do GDPR regulations apply differently to data controllers and data processors?

Controllers have primary responsibility for compliance while processors are bound by contractual obligations to instead assist controllers in meeting those obligations. The former is directly liable for GDPR violations whereas the latter is subject to indirect liability for non-compliance violations.

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training

‍