With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
“Do we need to be GDPR compliant?” is the nagging question at the back of many an executive’s mind. Since its adoption in 2018, the GDPR has been changing how the internet does business. Though a European law, it affects organizations across the globe, and compliance involves a lot more than just posting a privacy policy.
For non-European organizations, it’s easy to dismiss the idea that the GDPR may apply to them, but the reality is far from that simple. In the online economy, businesses have easier access than ever to international markets, but with that access comes accountability to the laws that govern those markets. In fact, maintaining accountability as data flows across borders and between companies is one of the GDPR’s primary concerns.
Here are the factors that come into play when determining whether the GDPR applies to you.
Some data privacy laws, like the California Consumer Privacy Act, only apply to for-profit businesses; the GDPR makes no such distinction. It can apply to individuals, businesses, governments, nonprofits, and anyone else that processes personal data outside of a purely household or personal context. We use the broad term “organizations” to cover all these different types of entities.
Any organization that “processes” personal data (i.e., handles it in any way, from storing to transferring to analyzing), including the data of its employees, can fall under the GDPR.
In most cases, the GDPR applies in one of two ways. First, it applies to organizations that are “established” in a country that has adopted the GDPR. These countries include the entire European Economic Area (all EU member nations plus Norway, Lichtenstein, and Iceland) and the United Kingdom (collectively, “EEA/UK”). Second, it applies to organizations that are not established in the EEA/UK but offer their goods or services there.
If an organization is established within the EEA/UK, the GDPR applies to all of their data-processing activities regardless of where its data subjects (the people whose data is being processed) are located. For example, if an online business is based in Ireland, it must follow GDPR rules with respect to all of its customers and website visitors even if they are located outside of the EEA/UK.
“Establishment” in the EEA/UK means “the effective and real exercise of activity through stable arrangements” in that territory. Typically, this means a permanent, physical presence of some kind, such as having a headquarters, branch, or subsidiary located there.
For organizations that have their primary establishment elsewhere and a secondary establishment in the EEA/UK, the GDPR may only apply to data-processing performed by that secondary establishment, but the line can be a bit murky. For example, if a U.S. company has a branch office in Ireland, theoretically only the Irish branch office has to follow the GDPR (assuming the rest of the organization does not offer goods or services within the EEA/UK), but in reality the data collected by the branch office tends be shared throughout the company
The second way an organization can be required to comply with the GDPR is when it is not established in the EEA/UK but does offer its goods or services there. Such an organization is only required to comply with the GDPR with regard to its processing of personal data of European data subjects.
There is no hard rule about what it means to “offer goods or services” in the EEA/UK, but it does require a degree of intention beyond just having a website that is visible to people in Europe. A number of factors may be considered, such as the posting of prices in the local currency, translating content into other European languages, and offering shipping options to the EEA/UK.
Example: An ecommerce business is based in the United States, but also has an Italian-language version of its website where it displays prices in euros. That business is offering its goods to data subjects within the EEA/UK, and will have to comply with the GDPR with regard to any personal data it collects about European data subjects.
Some organizations that provide B2B services, even if they are not required to be “in compliance” with the GDPR, may still be affected by it and have to follow many of its rules. The reason for this is that their GDPR-compliant business customers can only share personal data with the organization if it abides by specific privacy rules.
The two main types of actors in the GDPR’s legal framework are “controllers” and “processors.” With respect to any specific personal data, the controller is the one who “determines the purposes and means” of its processing (i.e., they are in charge of it). The controller may hire a processor to process personal data on its behalf. For example, if a retailer uses an email vendor to send out promotions to its customers, the retailer is the controller of the email addresses and the vendor is the processor.
A GDPR-compliant controller may only disclose personal data to a processor if the two parties have a written contract that requires the processor to adhere to certain privacy safeguards. These safeguards include only processing personal data according to the controller’s instructions, having confidentiality agreements for all personnel who will access the data, and not sharing the data with any sub-processors without a similar agreement in place. The contract requirement is most often met by including a data protection agreement (DPA) as part of the processor’s master service agreement.
This means that a processor that wouldn’t otherwise have to be GDPR compliant will still have to meet some privacy requirements if it wants to do business with GDPR-compliant organizations. Offering a boilerplate DPA may not be enough. First, it needs to make sure it is actually implementing all of the required privacy safeguards. Second, it will need to determine whether it is disclosing any of the personal data to other parties, and have a DPA in place with them as well.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.