General Data Protection Regulation Updates
Article written by International Trade Specialist Hannah Bracken & Commercial Specialist Tea Jardas, CS Europe Office.
For specific information about GDPR’s applicability to your operations you should consult with legal counsel or a relevant data protection supervisory authority.
You may know that the GDPR is a comprehensive privacy legislation that applies across industry sectors and to companies of all sizes, but do you understand enforcement activities and what EU regulators (supervisory authorities) are doing to help companies understand and comply with their obligations?
How is the GDPR Enforced?
Enforcement of the GDPR takes place on a national level in EU Member States and fines in case of severe non-compliance with the GDPR can reach up to 4 percent of a company’s annual worldwide turnover or 20 million euros – whichever is higher.
For organizations active in multiple EU countries that have an EU headquarters, the GDPR provides a central point of enforcement through a lead supervisory authority based in the same Member State as your main EU establishment. This lead supervisory authority will cooperate with other concerned supervisory authorities.
There is also coordinating activity that takes place in Brussels, Belgium through the European Data Protection Board (EDPB). The EDPB promotes the consistent application of the GDPR, including with respect to review of cross-border cases that may involve multiple supervisory authorities.
The GDPR tasks supervisory authorities to “promote the awareness of controllers and processors of their obligations”. Companies may find it helpful to direct questions to supervisory authorities about their compliance obligations.
Role of European Data Protection Board (EDPB)
The EDPB, in its work programme for 2021/2022, includes supporting effective enforcement and efficient cooperation between national supervisory authorities as a major focus of its work. The EDPB stated that it will, among other things, continue to promote enhanced coordination between supervisory authorities.
Enforcement will still take place in EU Member States, but the EDPB will enhance its role as a forum for supervisory authorities to exchange information about ongoing cases from its headquarters in Brussels.
EDPB Guidance for Companies on the GDPR
Individual Member State lead supervisory authorities publish guidance to help companies operating in their territory comply with any local GDPR data protection requirements, and the EDPB also publishes guidance that is meant to harmonize interpretation of the GDPR across different Member State lead supervisory authorities. For that reason, the EDPB’s Guidelines, Recommendations, and Best Practices– which covers specific topics – can help companies understand what is expected from them across the European Union.
What is the Scope of the GDPR and Does It Apply to Me?
The EDPB created the following guidelines on the territorial scope of the GDPR (Article 3) to help companies understand whether they are subject to the GDPR. The guidelines include hypothetical examples, such as:
- Use of an Australian Content Service While on Holiday in Germany (Scenario)
- An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing.
- An Australian subscriber of the service travels to Germany on holiday and continues using the service.
- Although the Australian subscriber will be using the service while in the EU, the service is not “targeting” individuals in the Union, but targets only individuals in Australia, and so the processing of personal data by the Australian company does not fall within the scope of the GDPR.
- US Mapping App for Tourists While Visiting Paris and Rome (Scenario)
- A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, to offer targeted advertisement for places to visits, restaurant, bars, and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris, and Rome.
- The US start-up, via its city mapping application, is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union.
- The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2)a. Furthermore, by processing data subject’s location data to offer targeted advertisement based on their location, the processing activities also relate to the monitoring of behavior of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR as per Article 3(2)b.
EDPB Guidelines on the Concepts of “Controller” and “Processor”
The EDPB also created the following guidelines on the concepts of controller and processor in the GDPR which were conceived to help companies understand their respective roles regarding consumer data protection. The guidelines include hypothetical examples, such as:
- Controller vs. Processor in the Provision of Cloud Services (Scenario)
- A large cloud storage provider offers its customers the ability to store large volumes of personal data. The service is completely standardized, with customers having little or no ability to customize the service.
- The terms of the contract are determined and drawn up unilaterally by the cloud storage service provider, provided to the customer on a “take it or leave it basis”.
- Company X decides to make use of the cloud provider to store personal data concerning its customers. Company X will still be considered a “controller”, given its decision to make use of this cloud service provider to process personal data for its purposes. If the cloud service provider does not process the personal data for its own purposes and stores the data solely on behalf of its customers and in accordance with instructions, the service provider will be considered as a “processor”.
- For a detailed overview and further information, please also visit the International Trade Administration’s Country Commercial Guide for the EU.
- European Commission’s website is an authoritative source of information about the GDPR.
- The EDPB’s Guidelines, Recommendations, and Best Practices can help companies understand what is expected from them across the European Union.