The General Data Protection Regulation (GDPR) is a comprehensive framework that regulates personal data collection in the European Union. Even though 6 years have passed since its implementation, numerous businesses struggle to understand GDPR’s scope and extent. This blog aims to clarify who the GDPR applies to and assist you in determining its relevance to your business.
Who is affected by GDPR? 7 key groups
The scope of GDPR extends to all establishments in the European Union and businesses outside the EU if they process the personal data of EU citizens or monitor their behaviour.
The following are the 7 key groups that the law covers.
#1 Establishments in the European Union
The GDPR applies to establishments in the EU. While the law does not offer a precise definition of an establishment, it specifies that:
- It must have a stable arrangement; and
- Its legal structure is not a major factor
Therefore, whether the organisation is active in the Union through a subsidiary or a branch is not a major determining factor.
Furthermore, GDPR applies to your business If your company has employees or a representative in the EU, and processing activities occur in that context, or if your company is registered in the EU.
Let us look at some examples of establishments provided by the European Data Protection Board.
#2 Establishments outside the European Union
The European data privacy law takes an extra-territorial approach and applies to data controllers or processors outside Europe that:
- Offers products or services to EU citizens regardless of any monetary transactions
- Monitors the behaviour of EU citizens
#3 Data controllers or processors
A data controller is a person or a body that makes decisions on the purposes and means of processing personal data. They determine the categories of personal data to be collected, why they are collected, how they are processed, who has access, etc.
On the other hand, a data processor processes the data on behalf of the data controller. They act on the controller’s instructions and have little or no decision-making powers.
- A gaming website owner collecting personal information from its users is the data controller and the hosting service that hosts the website is a data processor.
- A blogging website that gathers personal data through cookies from visitors acts as a data controller, while its Consent Management Platform functions as a data processor.
#4 Offer products or services to EU citizens
The law requires non-EU businesses offering goods or services to EU citizens to be GDPR-compliant. Whether you meet this criterion mostly depends upon your intention.
A Texan shoe manufacturing company with a website that allows customers to purchase in Euros or a Japanese online retailer that mentions their EU customer base or publishes testimonials of European customers are likely bound by GDPR.
Companies like the ones above must follow GDPR standards and take necessary steps to ensure and demonstrate compliance, even if they don’t have a physical presence within the union.
Your website can comply with the GDPR consent management requirements effortlessly using cookie consent solutions. CookieYes is a simple, efficient, and privacy-oriented cookie consent solution chosen by 1.5+ million businesses. We value our customers and proactively evolve with the updated privacy requirements. Ensure compliance effortlessly by implementing a GDPR cookie consent banner in a few simple steps.
Tell the world you care about privacy
Implement cookie banners with CookieYes
Claim your free trial14-day free trialCancel anytime
#5 Monitors the behaviour of EU citizens
A non-EU business that monitors the behaviour of Europeans would fall under the scope of GDPR. This includes tracking how a data subject behaves online and then using the data to create a profile that can be used for multiple purposes such as advertising.
Subscription services such as music and movie streaming services often create profiles of their users and send recommendations that suit their liking. Furthermore, getting online ads based on the content you browsed on the web also involves profiling.
#6 Engages in professional or commercial activities
GDPR does not apply to data processing for personal or household activities. Therefore, adding friends or family contact numbers or sending individual emails does not invoke GDPR.
GDPR applies if you use personal data for professional or commercial purposes such as targeting ads or sending marketing emails.
#7 Processes personal data of living persons
Personal data under GDPR is any information that can directly or indirectly identify a natural person including:
- Name
- Email address
- Phone number
- Biometric information
- Sexual orientation
- Ethnic origin
- IP addresses
- Cookies and other tracking technologies
- Other online identifiers
As a general rule, the law does not usually cover the processing of deceased individuals’ personal data. However, EU member states are allowed to provide guidance on handling such data.
Does your company need to comply with GDPR?
Whether GDPR compliance is necessary for your company depends on several factors such as the ones below.
- Has an establishment or a physical presence in an EU country
- Process the personal data of individuals in the European Union
- Offer products or services to EU citizens
- Monitors the online behaviour of individuals within the EU
GDPR also covers a data controller established outside the EU if member state laws apply due to international law, such as a US embassy in Italy that processes EU personal data.
Small and medium enterprises (SMEs) and non-profit organisations also fall under GDPR’s scope. However, it is safe to say that GDPR offers some leniency towards SMEs such as from record-keeping obligations and appointment of Data Protection Officers (DPOs).
Does the GDPR apply to an individual?
GDPR does not apply to individuals if they do not process personal data for commercial or professional activities. It aims to regulate the data practices of companies processing personal data to protect privacy rights and prevent data breaches.
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
Recital 18 of GDPR
Therefore, individuals processing personal data for personal or household activities do not need to comply with GDPR but all EU citizens get privacy rights such as the right to correct, erasure, access, object, portability, restriction, and rights related to automated decision-making.
Does the GDPR apply outside the European Union?
Yes. The extra territorial scope of the GDPR extends to non-EU countries intending to sell their products or services to Europeans or monitor their behaviour. Marketing products in EU-specific languages or giving payment options in European currencies are some ways to determine whether you target EU citizens.
An online tutoring application that primarily serves EU citizens must adhere to GDPR. However, if the app does not specifically target European customers, it is not required to comply, even if users can access the classes from anywhere in the world, including EU countries.
The below slides show how Jack & Jones website features a country selector that allows users to choose their country, view the products in their language and purchase in Euros.
GDPR also applies to countries to which member state laws apply by international laws such as in member state’s diplomatic missions.
How to find out if the GDPR applies to you? 4 questions to ask yourself
Take a moment and answer these questions to determine if the EU data protection law applies to your business.
Is your business based in the European Union?
If you have a physical presence in the EU or European Economic Area (EEA) regardless of whether it is as a branch, subsidiary or main establishment, the law likely applies to you.
Other factors that determine whether your business is established in the EU include:
- Where decisions regarding data collection and processing are made
- Location of data processing
- Company registration location
- Whether there are employees or representatives in the Union
Do you process EU citizen’s personal data?
If you collect personal data from Europeans, offer products and services to them or monitor their behaviour, the law applies to you. GDPR is committed to protecting the privacy of its citizens irrespective of where the business is located.
Do you process personal data for personal or household purposes?
If yes, the law does not apply to you. GDPR primarily focuses on companies using personal data for commercial or professional purposes.
What if I am a SME or a smaller business?
GDPR applies to SMEs or smaller businesses with less than 250 employees. However, the law offers some exemptions such as from record-keeping duties or appointing a DPO under certain conditions. These derogations take into account the limitations of small businesses and ensure the free movement of data without compromising privacy.
What are the penalties for GDPR non-compliance?
GDPR enforcement is carried out by the Data Protection Authorities (DPAs) of member states.
The enforcement actions for non-compliance depend upon various factors like the nature and negligent character of the infringement, previous infringements, actions taken by the controller/processor to avoid violations, etc. Non-compliance fines can go up to 4% of the total annual turnover or 20 million Euros.
FAQ on GDPR’s scope
GDPR does not apply to businesses that have no connection with the EU in terms of physical location, operation, customers, or revenue. Unlike CCPA or other US privacy laws, GDPR does not exempt non-profit organisations or small businesses.
The 7 principles of GDPR are:
-Lawfulness, fairness, and transparency
-Accountability
-Data minimisation
-Purpose limitation
-Accuracy
-Storage limitation
-Integrity and confidentiality
No. US companies collecting personal data from EU citizens must comply with the GDPR requirements. They must practice the GDPR principles, implement security safeguards, meet consent requirements, honour data subject rights, and monitor processing activities and data transfers.