On the 25th May 2018 a new data protection regulation, the EU GDPR became law in all EU Member States. This new regulation has far reaching implications for organisations within and outside of the European Union.
There are new obligations on both data controllers and processors to be complied with and enhanced data subject rights. There has since been several organisations outside the EU who have opted to block all web traffic from EU based data subjects. This approach is short sighted and demonstrates that these companies never have taken their data subjects rights seriously. In fact they have decided to tell the world that they do not respect data subject rights. Also, they want to do whatever they want with our personal data.
If you are based outside the EU you may think that the regulation does not apply to you and your business. The fact is that the EU GDPR has enhanced its territorial scope. It affects companies both inside and outside of the EU. Any company dealing with EU subject data will have to comply with the GDPR. Even if a company does not have a European presence, it will still have to understand the impact of GDPR if it processes an EU resident’s personal data. This includes data collected in connection with goods and services offered to that person or the monitoring of their behaviour as far as their behaviour takes place within the EU. The wording of Article 3 of the EU GDPR does not actually make any reference to citizenship—it applies to any ‘data subject’ in the EU, i.e. a person living in the EU. Article 3(2) applies to the processing of personal data of any individual “in the EU.” As such, the individual’s nationality or residence is irrelevant.
Where Article 3(2) applies, controllers or processors must appoint an EU-based representative. In essence, the GDPR has reframed privacy regulations around the location of the data subject, rather than the location of the data controller or processor. If your business is targeting its goods and services for sale within the EU, it will need to be GDPR compliant.
Businesses outside the EU will also need to designate a representative in the EU who will “act on behalf of the controller or processor and may be addressed by any Data Protection Authority (DPA)”. The representative can be subject to enforcement proceedings in the event of non-compliance by a non-EU controller or processor.
You may think that the risks are low of your business ever being caught for non-compliance. Think again. It is possible that Data Protection Authorities could seek a court injunction to block a service if personal data is being unlawfully processed. Also, if the personal data is processed illegally in relation to the sale of physical goods, it’s possible that these goods could be seized by trading standards. Also by customs unions at the border or trade restrictions could prevent the business from selling their goods in the EU.
The GDPR does permit personal data transfers to a third country or international organisation subject to compliance with certain conditions, including conditions for onward transfer. Similar to the framework set forth in the Data Protection Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances. Such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances.
Under Article 49, appropriate safeguards include:
- Legally binding and enforceable instrument between public authorities or bodies.
- Binding corporate rules in accordance with article 47.
- Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).
- Standard data protection contractual clauses adopted by a supervisory authority. Also approved by the Commission pursuant to the examination procedure referred to in Article 93(2).
- An approved code of conduct pursuant to Article 40. Together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- An approved certification mechanism pursuant to Article 42. Together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
How Do You Feel About The GDPR? Comment Below
By Nick Blomely
About Hansal International (www.hansal-international.com)
Hansal International helps businesses and individuals to conceive, plan and achieve transformation.
Hansal has successfully delivered global data privacy programmes for a number of multinational clients and now has several clients in Qatar. With Hansal you have access to our worldwide team of experienced business leaders and professional coaches across Europe, the Middle East, Africa and Asia. As well as our partner companies that share our values and goals. We have the expertise and experience to make your data privacy programme a success.
If you require support, please contact us at firstname.lastname@example.org and we would be happy to send you more information