The GDPR even applies beyond the borders of Europe
It goes without saying that an organisation active in an EU Member state will have to comply with the GDPR. But the GDPR goes beyond that. The GDPR seeks to protect individuals based on their residency in the EU. It therefore applies to any organisation that offers goods or services in an EU Member State or that monitors the behaviour of an EU resident. This is the concept of “extraterritoriality.” It will also apply to any data transferred outside the EU.
If for example, a US company collects data on EU citizens, it is under the same legal obligation it would be if headquartered in France or Germany —even if it doesn’t have any servers or offices there.
Understandably, this may be difficult to enforce, but if a large multinational breaks one of the rules or a smaller company egregiously breaks the rules, it’s possible that the EU regulators will sanction it.
The extraterritoriality concept was introduced largely because companies such as Google and Facebook keep their servers outside Europe and have been arguing that since their data processing also takes place outside Europe, the EU rules shouldn’t apply. The European Court of Justice ruled against Google in a landmark case and extraterritoriality was included in the GDPR, so EU residents should be fully protected going forward.
The GDPR places specific requirements on EU organisations that send personal data out of the EU for processing. It requires special contracts to be in place or other international accords that will provide an extra layer of protection to data that leaves the EU.
If you're not based in the EU, but provide services to EU residents or organisations that work with EU residents, you'll need to comply.
1st Floor | 10/11 Exchange Place