GDPR: To Whom Does GDPR Apply?

Article 3 of the General Data Protection Regulation (GDPR) states:

Territorial Scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

The key phrase for applicability is “in the Union,” in the physical sense:
– Any organisation based in the Union must comply with GDPR, for all data processes that make use of personal data (employees, customers, supply chain, etc.).
– Any organisation not based in the Union but which offers goods or services to, or monitors the behaviour of, data subjects in the Union, must also comply with GDPR.

Therefore:
– An organisation outside the Union offering goods or services to, or tracking the behaviour of, an individual who is physically in the Union, must comply.
– An organisation outside the Union offering goods or services to, or tracking the behaviour of, an individual who is not physically in the Union, does not have to comply.
– An organisation outside the Union hiring an individual with EU citizenship for a job role outside of the Union, does not have to comply. GDPR is blind to the idea of “EU citizenship;” it is not on this basis that GDPR applies.
– A visitor to the EU, while in the EU, is afforded the same rights of data protection to anyone who lives in the EU, whether dealing with organisations inside the EU (per Article 3(1)) or those outside offering products and services to individuals in the EU, or tracking the behaviour of individuals physically in the EU (per Article 3(2)).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.