GDPR Regulations Territorial Scope

The General Data Protection Regulation was introduced to improve data privacy rights and security of EU citizens.

One of the goals was to harmonize data privacy laws throughout the EU / EEA.

The GDPR regulation under article 3 deals with the Territorial Scope of the regulation.

The territorial scope is broad in essence.

Under section 1 – it includes the processing of personal data for a data controller / processor established in the EU. So say a company with its main registered office is in the EU. So this will include businesses, charities, not for profits, public authorities set up in the EU.

Under Section 2 – The territorial scope of the GPPR rules will apply to all data controllers / processors where there is processing of data of data subjects who are in the EU. So say a company is offering goods or services in the EU, then the GDPR rules will apply to them.

Are you a Data Controller or Data Processor ?

A data controller ie is a natural or legal person who determines the purposes and means of processing of personal data.

A data processor is a natural or legal person who processes the data on behalf of the data controller.

Compliance

A data controller must comply with the Data Protection Acts requirements on data collection, processing, keeping and use of personal data. Principles of lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, accountability must apply.

Extra Territorial Scope

The GDPR regulations have expanded territorial scope as both EU based and non-EU based entities can attract the requirements under GDPR.

If a business is based in Australia for example but offers goods and services in an EU country, then GPPR will apply to them.

It is location of the data controller is one consideration where does the data controller offer goods and services in the EU is another consideration.

GDPR have a global impact and businesses wherever they are must comply with GDPR rules if they deal with EU citizens data.

There are significant penalties for non-compliance.

Each EU states has their own data protection commission and the EU has the European Data Protection Board also.

International Transfer of Data

If an entity is a data controller or data processor and is transferring personal data outsie of the European Economic Area, then it is crucial to ensure compliance with data protection-GDPR requirements. Adequate data protection standards must be in place.

EU standard contractual clauses are dealt with by the European Commission. These are legal agreements which permit businesses transfer personal data from EEA area to a country outside of the EU if adequate levels of data protection are in place.