Undoubtedly, like me, your email inbox was inundated last week with notifications from companies regarding their updated privacy policies. Under the EU General Data Protection Regulation (GDPR), which took effect on May 25, 2018 organizations are now required to provide individuals with extensive information about the processing of their personal data. These requirements are more detailed than under the former Data Protection Directive and are geared towards transparency and fairness for the individual.
It is important for data controllers situated outside the EU to know the circumstances in which their processing activities might be governed by the strict EU regime. This is particularly relevant to two types of processing.
First, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not (Article 3(1), GDPR). This is likely to be extended to the EEA. This provision reflects that, in contrast to the current regime; data processors are now specifically included within the scope of the Regulation.
Second, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either of the following:
The GDPR defines personal data as “any information relating to a data subject” (Article 4(1)). A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of that person (Article 4(1), GDPR).
The GDPR sets out a number of principles with which data controllers and processors must comply when processing personal data (Article 5). These principles form the core of the obligations of the data controller and will usually form the basis of any claim that a data controller has not complied with its statutory duties.
Article 5 includes the following data protection principles:
The GDPR confers a wide range of enforcement powers upon supervisory authorities. Data controllers that fail to present their privacy policies in an appropriate manner, or to include required information, could expose their organizations to potential enforcement action by supervisory authorities.