The use of the words ‘citizen of the European Union’ can be confusing in the context of the General Data Protection Regulation (GDPR). For compliance requirements, it makes more sense to talk about people who are located within the EU.
Indeed, the language that is used most consistently throughout the GDPR is “natural person”, which is to say an individual human, not a legal person – which may be a person, an entity, or an organization.
This is because the GDPR stipulations only apply when personal data is collected from an individual person who is located in an EU country at the time the data is collected.
It concerns any natural person,or individual, not just EU citizens. It also does not apply to EU citizens who have their data collected while they are outside of the EU.
How does this Work?
Think about it this way; there are millions of EU citizens in the world, but not all are located in the EU all of the time. Some may be travelling or located in other regions across the globe for various reasons.
If they deal with a business or organization in one of the non-EU countries they may be in, any personal data they provide is not covered by the GDPR rules, as they are not located within the EU at the time. It is not the citizenship of the person that is important, but where they are situated.
Looking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing or travelling in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is located within the EU as the purchase takes place.
From these examples you can see that the personal data of an EU citizen residing in the US, for example, would be dealt with according to individual data protection laws within the US and would not be subject to GDPR compliance, whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations.
Does it Matter where the Business or Organization is Located?
The primary determining factor is the location of the individual when considering whether GDPR rules apply. Any business or organization that processes the data of people living within the EU, no matter where the group is located, should comply with the GDPR stipulations or face being fined for non-compliance.
This can be a complex situation for a business or organization that is located in a non-EU country that is involved with processing the personal data both of people who reside within the EU and people who do not.
For instance, in the US there is no overall law that governs the privacy of an individual. Instead, laws such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Acy (GLBA) protect sensitive data in certain areas such as healthcare and finance.
In HIPAA’s case, the data concerned is medical information. Given that using two separate processes and two lots of procedures would be costly and time consuming for US businesses and organizations, as well as confusing for employees, it may make sense for them to introduce a rationalized or more holistic approach to data protection.
By ensuring that all personal data is protected effectively, in a way that satisfies the requirements of both HIPAA and the GDPR in this example, they will find it easier to comply with all applicable regulations and should find it easier to implement and operate processes and procedures.
Whether US businesses will choose to take this “one-size-fits-all” approach remains to be seen. If they do, EU citizens based in the US may see the benefit of the GDPR even though they are not actually covered by it.
Companies with offices within the EU are also subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.”
This means that businesses based in the EU that collect or process data, either through a subsidiary or a branch of the main company, must also respect the GDPR.