GDPR applicability, i.e. whether an organization is subject to the GDPR or not, is a tricky topic. The Regulation’s definition of personal data is very broad and can include things like IP addresses.
This means that as a business, you’re likely to process personal data. Therefore, you must consider whether the GDPR applies to you from a territorial perspective.
👀 It’s not easy. That’s why we compiled this short guide with all that you need to know + examples. Of course, we always recommend consulting a legal professional for understanding your specific situation. Let’s dive in!
In this post, we explain:
The GDPR is a European regulation that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date, and applies to the processing of personal data.
At its most basic, it specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general.
GDPR’s main provisions include:
🔍 A bit confused with European Privacy Laws? Check out this quick recap here!
GDPR Article 3 sets out the conditions of territorial applicability, or in non-legalese, who is subject to the GDPR.
In short, the GDPR can apply where:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services (…); or the monitoring of their behaviour as far as their behaviour takes place within the Union.
👉 The GDPR can apply to you whether your organization is based in the EU or not;
👉 If you are an EU-based data controller, you must apply GDPR standards to all users (not only users in the EU)!
“Data controller” means any person or legal entity involved in determining the purpose and ways of processing the personal data.
There are 2 main instances in which GDPR may not apply to you. First, GDPR does not apply to you if you are not based in Europe AND if you are not targeting European users’ personal data. Secondly, GDPR does not apply to you if you are not processing any personal data at all. In both of those instances, the GDPR would not apply.
👉 No! Because…
The GDPR is meant to protect European users, and therefore it can extend to foreign businesses too.
You might be wondering if the GDPR applies to you as a US-based company. It depends on many different circumstances, but if you are targeting European users, then yes it may apply to you and you must comply. If you aren’t, the law should not apply to you.
Find out which privacy laws most likely apply to you!Take this free 1-min quiz