EU General Data Protection Regulation (GDPR)
Companies doing business in the European Union are obligated to comply with the GDPR.
Disclaimer: For specific information about GDPR’s applicability to your operations you should consult with legal counsel or a relevant data protection supervisory authority.
The European Union’s (EU) General Data Protection Regulation (GDPR) governs how personal data of individuals in the EU may be processed and has been in effect since May 25, 2018.
The GDPR is a comprehensive privacy legislation that applies across industry sectors and to companies of all sizes. EU supervisory authorities are taking actions to help companies understand and comply with their obligations under the regulation.
Enforcement of the GDPR takes place on a national level in EU member states and fines in case of severe non-compliance with the GDPR can reach up to 4 percent of a company’s annual worldwide turnover or 20 million euros – whichever is higher.
For organizations active in multiple EU countries that have an EU headquarters, the GDPR provides a central point of enforcement through a lead supervisory authority based in the same member state as your main EU establishment. This lead supervisory authority will cooperate with other concerned supervisory authorities.
There is also coordinating activity that takes place in Brussels, Belgium through the European Data Protection Board (EDPB). The EDPB promotes the consistent application of the GDPR, including with respect to review of cross-border cases that may involve multiple supervisory authorities.
The GDPR tasks supervisory authorities to “promote the awareness of controllers and processors of their obligations”. Companies may find it helpful to direct questions to supervisory authorities about their compliance obligations.
Role of European Data Protection Board (EDPB)
The EDPB, in its work program for 2021/2022, includes supporting effective enforcement and efficient cooperation between national supervisory authorities as a major focus of its work. The EDPB stated that it will, among other things, continue to promote enhanced coordination between supervisory authorities.
Enforcement will still take place in EU member states, but the EDPB will enhance its role as a forum for supervisory authorities to exchange information about ongoing cases from its headquarters in Brussels.
EDPB Guidance for Companies on the GDPR
Individual supervisory authorities in EU member states publish guidance to help companies operating in their territory comply with any local GDPR data protection requirements, and the EDPB also publishes guidance that is meant to harmonize interpretation of the GDPR across different member state supervisory authorities. For that reason, the EDPB’s Guidelines, Recommendations, and Best Practices – which cover specific topics – can help companies understand what is expected from them across the European Union.
What is the scope of the GDPR and does it apply to me?
The EDPB created the following guidelines on the territorial scope of the GDPR (Article 3) to help companies understand whether they are subject to the GDPR. The guidelines include hypothetical but practical examples, such as for example how does the GDPR apply when e.g. Using an Australian content service while on holiday in Germany, or how does it apply to an US mapping app for tourists while visiting Paris and Rome. Please consult the above link for further examples.
EDPB Guidelines on the concepts of controller and processor
The EDPB also created the following guidelines on the concepts of controller and processor in the GDPR which were conceived to help companies understand their respective roles and responsibilities. The guidelines include hypothetical examples, such as:
A large cloud storage provider offers its customers the ability to store large volumes of personal data. The service is completely standardized, with customers having little or no ability to customize the service. The terms of the contract are determined and drawn up unilaterally by the cloud service provider, provided to the customer on a “take it or leave it basis”. Company X decides to make use of the cloud provider to store personal data concerning its customers. Company X will still be considered a controller, given its decision to make use of this particular cloud service provider in order to process personal data for its purposes. Insofar as the cloud service provider does not process the personal data for its own purposes and stores the data solely on behalf of its customers and in accordance with instructions, the service provider will be considered as a processor.
See the European Commission’s website, for an authoritative source of information about the GDPR.