Who Does GDPR Apply To?

The general data protection regulation (GDPR) is the primary data privacy regulation in the EU. It dictates how businesses must process EU residents’ personal data. GDPR was introduced to protect individuals from privacy violations and give them control over their personal information.

Understanding how this applies to your business is more important than ever as regulators continue to refine policies and crack down on non-compliant organizations. 

Does GDPR apply to my company?

The short answer is that if you have EU customers, then GDPR applies to you. The long(ish) answer is that GDPR applies to all companies that fall into one of these two categories:

  1. A company based in the EU that processes personal data 
  2. A company not based in the EU offers (a) products or services to EU citizens and residents or (b) monitor their behaviour.

So if your company is based in the EU or processes the personal data of EU citizens and residents, then you must comply with EU data regulations. 

This is known as the “extra-territorial effect” and prevents companies from moving their processing activities outside the EU to avoid obligations imposed by the GDPR.

When does the GDPR apply outside Europe?

There are two scenarios in which a non-EU-based company would have to comply with the GDPR:

  1. You offer goods or services to EU citizens and residents; or
  2. You monitor the behaviour of EU citizens and residents 

Let’s take a closer look at each of these two scenarios.

Offering goods or services

The internet makes it easy to offer goods and services across the globe. Intention alone is enough to be deemed to offer goods or services to people in the EU. In determining whether a company intends to offer goods and services to people in the EU, regulators look for things like:

  • Including Euro (€) pricing on your website
  • Serving ads to individuals in EU countries
  • Having languages on your website for EU countries
  • Offering to ship to EU countries

An example would be an e-commerce store based in the USA that shows pricing in Euros or offers to ship to EU countries. This e-commerce business would be subject to the obligations of the GDPR.

Monitoring behaviour

Suppose you use tracking tools on your company website(s) that use cookies to track the IP addresses of people who visit your website from EU countries. In that case, you fall under the scope of the GDPR. Given that most websites in the world use analytics cookies, it is highly likely that your company falls into this category.

An example would be a US web development company based in Florida, selling websites mainly to Florida businesses. But they track and analyze EU visitors to their company’s website. Then they would be subject to the obligations of the GDPR.

Are there any exceptions? 

There is only one exception, but it is unlikely companies could ever avail of it. GDPR does not apply to “purely personal or household activity”. An example would be collecting email addresses to organize a dinner with friends. In this scenario, you can rest easy knowing you will not be in the cross hairs of the GDPR.

Conclusion

If you believe that GDPR applies to your company, it’s a good idea to familiarise yourself with your obligations and ensure you are compliant. The reason for this is that there are penalties for non-compliance.

Supervisory authorities can impose penalties up to €20 million or up to 4% of your company’s total global annual turnover of the previous financial year, whichever is higher.

Despite supervisory authorities having limited enforcement powers against overseas entities, they can coordinate with foreign regulators in taking enforcement action.