Who Does GDPR Apply to?

The General Data Protection Regulations (GDPR) became enforceable on May 25 and there is still a lot of confusion surrounding this legislation.

If you are not living in a European Union (EU) country, you may think that GDPR has nothing to do with your personal data. Many organizations think that they are not affected because of their size or location. Many are in for a surprise, and not necessarily a good one.

Here are the individuals, companies, enterprises that will be affected by the GDPR legislation.

Ask yourself:

  1. Am I a citizen of a European Union country but not presently living in an EU state? Nevertheless, GDPR was created to safeguard the personal data of all EU citizens. Your location does not affect your citizenship.
  2. Am I am an individual presently living in an EU country although I am not an EU citizen? If you are residing in an EU country, your right to protection of your personal data collected by EU businesses within the EU country is protected.
  3. Does my company process personal data of any European Union citizen, no matter where he lives and no matter where my company is located? Remember to include data collected by online presence. If you store, process, or transmit data of EU residents then  your company must comply with GDPR.
  4. Does my company, or do I, engage in economic activity? GDPR does not apply to those who process personal data of EU citizens if it is exclusive to household or personal activities. Otherwise, according to Article 4 paragraph 18, you and/or your company must comply with GDPR regulations.

Does GDPR Apply to Individuals?

The simple answer to this question is yes and no. The main purpose of GDPR is to protect the personal data of data subjects, those from whom personal data was collected by a business or organization.

However, the mandate of GDPR is to protect the privacy of all European Union (EU) citizens. So, if we are talking about the personal data of someone of European Union origin, whether they live in an EU State or not, his personal data and his rights surrounding that data are protected. It behooves all companies who collect personal data from an EU citizen to furnish him with information regarding his personal data rights.

If you are under the age of 16 and an EU citizen, or someone living in an EU country, then GDPR requires that companies or organizations wishing to collect your personal data must have your parents’ written and informed consent to process your personal data.

Does GDPR Apply to non-European Union Citizens?

GDPR originated in European Union (EU) States. Its intent is to protect the personal data of all EU citizens. Thus, if you are a non-EU citizen the GDPR does not specifically apply to your data and your data rights. However if you are a non-EU citizen but presently living in an EU State, your rights are protected concerning data collected by EU companies and organizations.

However, in many instances, the personal data information presented by a company to its EU employees and/or clients and/or tradespeople is also being given to it non-EU contacts as well. While you cannot make a request regarding your personal data through GDPR channels, many companies are honouring these requests and processing them for their non-EU employees and clients. The companies do not want to be seen as discriminating between EU and non-EU individuals.

Another scenario would be if your company collects data of a non-EU citizen who is, at the time, living in an EU State, then his rights are protected under the GDPR as long as he resides in an EU State.

Does GDPR Apply to EU Citizens Living Abroad?

This area is often misunderstood by businesses not operating within the EU. They believe GDPR is an EU document and therefore has nothing to do with them. They are wrong.  GDPR protects the personal data and the rights of data subjects as long as they are EU citizens, no matter where they are living.

In GDPR Article 3, the document explains that any company anywhere in the world that employs or does business with EU citizens must comply with GDPR regulations. Thus a company that hires or does business with any EU citizen must appoint a Data Controller whose job it is to supervise data collection by Data Processors. The Data Controller will explain the data protection rights of all EU citizens the company hires or does business with.

Many companies are convinced they have not hired or done business with EU citizens. If the company has no locations in EU States but processes data of EU citizens or even non EU citizens presently living in an EU state then their company is affected by GDPR regulations.

If your company offers goods and/or services to anyone who is an EU citizen or any non EU citizen who is presently residing in an EU State, then your company must comply with GDPR regulations.

Some locations not in EU states are under GDPR jurisdiction because of public international law.

Does GDPR Apply to American Citizens?

According to GDPR Article 3, if your company collects personal data from anyone inside an EU State, then your company is subject to GDPR rules. So if you are an American citizen living in an EU State, then your data collected there is affected by GDPR protection. This is true only if you are living in the EU when data was collected.

Does GDPR Apply to EU Citizens in the US?

This issue is called “extraterritoriality”. Basically, GDPR applies to data transferred outside EU states. So, if an EU citizen requests that their data be transferred electronically to a business in the United States, then their data is protected by all the rights ensured by GDPR.

In addition, if an EU citizen is living and working in the United States, then any data collected by an American company or organization is protected by GDPR regulations.

This American company would have to comply with GDPR rules whether it had any locations in such EU states as France or Germany.

Enforcing GDPR noncompliance in non EU states will be complicated but enforceable. Extraterritoriality will apply to websites that collect the data of EU citizens including social media, e-commerce, any online products or services.

Does GDPR Apply to Small Businesses?

The easy answer to this is yes. GDPR applies to all businesses of any size. Here is an example: Any company of any size with any number of employees that has a web presence and markets goods and/or services over the Internet will have potential dealings with EU citizens. Thus, that company is affected by GDPR legislation and must comply with GDPR regulations. Size is not a factor. Nor is the type of business a concern.

GDPR expects all small and medium-sized enterprises to comply with GDPR regulations. However, there are some exceptions if your company employs fewer than 250 employees. Many small and medium-sized companies do not pose as great a risk to the personal data of EU citizens.

Article 30 of the GDPR states that companies with fewer than 250 employees do not need to keep processing records unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data…or personal data relating to criminal convictions and offences.”

Does GDPR Apply to Company Data?

GDPR applies to any company or organization located in an EU State. It also applies to enterprises that offer goods and services or who monitor the behaviour of any EU client or employee.

Any company that processes data of EU citizens, no matter where it is located, is subject to GDPR guidelines and penalties.

Does GDPR Apply to HR Data?

Human Resources might be the area of your business most affected by  GDPR. That department handles all sorts of personal data. Much of it is sensitive. This data, under GDPR guidelines must be processed with specific care, security and transparency.

In HR, before the introduction of GDPR, less concern existed around what was collected, how it was used, how secure personal data files were, how data was stored and when and how it was erased.  HR now has to reconsider collecting of personal data, processing of personal data of its employees, how the data is used, stored and retained.

GDPR requires that your company have a designated Data Controller who must provide all data subjects with information about personal data processing. This information must be presented at the time of data collection in a clear, simple, concise, easy-to-understand and transparent manner.

HR will also be involved in other new employee duties under GDPR. Data Protection Officers must be appointed by every business that processes data of EU citizens. Data Controllers and Data Processors are also required. These may not necessarily be new hires. These duties could be assigned to existing employees but a clear outline of their duties and remuneration for such must be handled by Human Resources.

The duties of Data Protection Officers are outlined by GDPR article 37. They apply to companies that do significant systemic monitoring and/or processing of sensitive personal data.

Moreover, data subjects must be informed of their rights regarding that personal data. They must have access to their data file. They have the right to request changes, modifications, additions, corrections and deletions. They have the right to request that their file be transferred electronically to another business. They have the right to request their file be erased.

Your HR department is obligated to inform all EU citizens about their personal data file. Your company must also have a process for receiving data subject requests and for dealing with these.

Employee consent has changed under GDPR. Regulations state that consent must be “freely given, specific, informed and unambiguous.” The GDPR clearly states that entering an employee contract must not hinge on employee consent to personal data processing.

GDPR regulations state: “If for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data.”

Data may be collected electronically. It may also be organized in data sets. Profiling of data may occur in your department. This information must be given to all EU citizens who are employed by your company.

Employees or candidates for hiring must be asked for their consent to collect, use, store and erase personal data.

Processing personal data is allowed under GDPR only to the extent it is used for the original purpose for which it was collected.

If the data is to be used for a different purpose later on, a new consent form outlining the repurposing of this data must be signed by the employee.

Data Controllers have the responsibility for ensuring that only that personal data necessary for a stated and agreed-upon purpose is processed. GDPR states that data collected, used, and stored must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

HR must collect only enough data for their stated purpose.

HR also has a responsibility to ensure personal data is correct and current. Any data that is inaccurate or outdated should be deleted or modified. Moreover, your company’s Data Controller must take “every reasonable step” to comply with this GDPR principle.

HR can no longer retain personal data files when they no longer require the personal data for its stated reason for collection.  Under GDPR guidelines HR should now conduct a regular review of personal data and have a clearly outlined process for removing personal data files from storage and erasing them in a secure and methodical process.

Under the new GDPR guidelines personal data must be protected against anyone who is not unauthorized to access it. Personal data of EU citizens must be protected from being using appropriately—i.e., for a purpose not stated at the time of its collection.

Your company’s Data Controller must look critically at the present level of security to ensure it is adequate to provide these protections. Moreover, security measures must be checked regularly to ensure they remain appropriate.

If a breach in personal data occurs, HR and your Data Controller need to have a clear process for analyzing these breaches and for reporting them to GDPR authorities if they are deemed reportable.

High profile data breaches of HR data can be extremely serious to your company not just in severe fines but also in professional embarrassment and bad image for the company.

Your company must demonstrate GDPR compliance. Self-reporting procedures must be in place. All employees need to be aware of GDPR rules and how the company complies with these regulations.

How can HR ensure GDPR compliance?

HR teams must understand the complexities of GDPR and the implications for the company in general and HR specifically. HR needs to give the document a thorough reading and review its present policies of collecting, using, storing and deleting data.

A good first step is to examine current data protection policies and practices when it comes to safeguarding employee personal data, contracts, HR handbooks and employment policies.

Next HR should ensure full transparency concerning what is collected, processed and retained.

HR should ensure they have employee consent for all personal data collections. This consent needs to be signed and stored. HR should note that present employee consent form is unlikely to be acceptable under the GDPR. Why has HR collected data to date? Will there be changes under the GDPR? A test about the legitimacy of data processing is: Does the employer have a legal need for the data that is presently being collected. Does any of this data—or the method of its collection—unfairly affect the rights of EU citizens who are employees?

HR should identify employees and clients who are EU citizens and thus under GDPR protection.

HR should devise a process for informing all employees and clients of their rights and decide upon a method of training employees on GDPR refers to present data protection policies.

HR needs to appoint someone who will co-ordinate compliance with GDPR reforms and monitor activity. Increased burden to self-report should be examined in the light of having a clear procedure in place for doing so.

Does GDPR Apply to Marketing Data?

If you are involved in marketing data anywhere in the world, then chances are GDPR regulations apply to your company. 

If your company collects and uses personal data of any citizen of any of the twenty-eight European Union countries then GDPR guidelines apply to you. If your business is involved in mobile marketing then it has a global base of buyers and potential buyer which includes—in all probability, some EU citizens. Thus, the new law applies to your business.

Does GDPR Apply to US Companies?

The quick answer here is: probably yes. GDPR applies to American enterprises if they process personal data of EU citizens. Before you say, “No, my company does not handle EU data then consider these three possibilities:

Article 44 discusses international data transfers. If  your company deals with data from EU citizens through electronic transfer of personal data of employees, potential hires, clients to whom you offer goods or services then your American-based company is subject to GDPR regulations.

Article 3 paragraph 1 applies to your company’s Data Controller and Data Processors. Whether data is collected inside EU Member States or not, if the data belong to an EU citizen then your company is liable to GDPR rules and penalties.

Article 3 paragraph 2 concerns processing of personal data of EU data subjects by a Controller or Data Processor who is not in an EU State. If this data in related to offering goods or services to an EU citizen—anywhere in the world—then your company is subject to GDPR regulations and penalties.

If your company monitors the behavior of an EU citizen then your company profiles EU citizens and is subject to GDPR regulations.

Does GDPR apply to non-European Companies?

The General Data Protection Regulation (GDPR) is a European Union (EU) established regulation. However, if your company does not have a location in EU states, then it is a non-European company. However, that does not mean your company is not affected by GDPR. The impact of this legislation in our global economy has far-reaching effects well beyond EU countries or even the European continent.

GDPR targets how businesses and public sector companies handle the personal data of the seventy-five million European Union citizens. Those business people who are not located in European Union states have mistakenly assumed that GDPR has no bearing upon their company if they are non-European business enterprises. If your company collects any data from an EU citizen then your company, no matter where it is located, is affected by GDPR guidelines and fines.

Under Article 3 of the GDPR, territorial scope is an issue. Companies outside the EU jurisdiction may be liable to GDPR rules and penalties.

If your company processes personal data of EU citizens even though your business and/or the EU citizens are not in EU area your company is subject to GDPR rules.

If you are a non-EU company or a company that has no sites on Europe, that processes personal data of EU citizens related to your offering services or goods and/or monitoring the habits of EU citizens whose behavior takes place in an EU State then your non-EU company must comply with the GDPR.

If EU law applies in the country where your offices are located then GDPR applies to your non-EU company.