November 28, 2018
On November 23, 2018, the European Data Protection Board (EDPB) adopted new draft guidelines intended to provide clarity with respect to the territorial scope of the Europe Union’s General Data Protection Regulation (GDPR). The highly-anticipated GDPR guidelines provide needed clarification on several key issues, including how the GDPR will be applied to business entities located in different parts of the world, and which businesses will need to appoint a representative in the European Union (EU) to act as a liaison with local supervisory authorities.
Given the severity of the penalties for violations of the GDPR, all US and EU-businesses should closely follow the newly-released guidelines in order to ensure that they are in full compliance with the GDPR.
What Do the New GDPR Guidelines Mean for My Business?
By way of background, the GDPR imposes significant requirements on “data controllers” (business entities that determine the purpose and means of processing personal data) and “data processors” (third party businesses that process data on behalf of data controllers) within the EU, as well as such organizations located outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU.
The guidelines, in part, further clarify which entities are considered within the EU and which entities that, while located outside the EU, are nevertheless subject to the GDPR. In addition, further guidance is provided on the nature of the EU-based representative that non-EU based entities must appoint as a liaison with EU regulators. Below are some highlights contained within the recent GDPR guidelines:
- A data controller located outside the EU shall not be deemed to be an EU-based entity merely because that controller’s website is accessible in the EU; provided, however, that if even one employee of that data controller works in the EU, that data controller may need to be GDPR compliant if its employee oversees significant business activities and has a long term, stable presence in the EU;
- A data controller located outside the EU that utilizes an EU-based processor for business activities outside of the EU that do not target EU residents is not subject to the GDPR. However, the EU-based processor in the aforementioned example will be subject to the relevant GDPR provisions that apply to data processors;
- Where a data controller subject to the GDPR utilizes the services of a data processor located outside the EU (that is not otherwise subject to the GDPR), that data controller must ensure, by written contract or other legally binding act, that its data processor processes its data in compliance with the GDPR;
- The GDPR applies to data processing/monitoring activities related to any individual who is then-present in the EU, and is not limited in application to EU citizens, legal residents of the EU or any other type of legal status of the data subject (meaning non-EU residents). The requirement that the data subject be located in the EU shall be determined at the moment when the relevant trigger activity takes place, i.e. at the moment that the goods or services are offered to the data subject or the moment when the data subject’s behavior is monitored, regardless of the duration of the offer made or monitoring undertaken;
- Non-EU based entities that are subject to the GDPR must appoint a representative in the EU, but the representative relationship can be based on a service contract entered into with an individual or an organization, such as law firms, consultants and private companies. Please note that this third-party representative may act on behalf of several non-EU based data controllers and data processors; and
- When the function of representative is assumed by a company or any other type of legal entity, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each data controller or data processor represented.
GDPR Guidelines – Stay Current!
The most recent GDPR guidelines are part of what are expected to be a series of future such guidance released by the European Data Protection Board, making compliance with the GDPR an ongoing affair. As this blog has cautioned repeatedly, the penalties for violation of the GDPR are daunting (the greater of €20 million or 4% of worldwide revenue). Given the potential catastrophic liability, and the ever-evolving GDPR regulatory framework, it is essential to regularly consult with experienced privacy law counsel.
If you are interested in learning more about this topic or require assistance in connection with GDPR or U.S. privacy law compliance, please e-mail us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar blog posts:
GDPR Data and the Right to Be Forgotten
Comparing the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR)