News and Publications

Does the GDPR apply to my business?

Posted: 04/02/2020

Guidance on how and when the GDPR applies to businesses outside the EU/EEA and the impact of Brexit

Many businesses based outside the EU/EEA may be subject to the General Data Protection Regulation (GDPR) – even if just in relation to some of the data processing activities they carry out - due to the extra-territorial effect of the Regulation. However, the test of jurisdictional scope is not straightforward and businesses could find it difficult to decipher if the GDPR applies to them and, if so, the extent to which it applies. In particular, multinational entities may not be certain which entities within their group are subject to the GDPR and/or what data processing activities are within or outside its scope.

In short, GDPR applies to data processing activities in the following two situations:

  • where businesses and organisations which have an ‘establishment’ in the EU/EEA process personal data in the context of the activities of such an establishment, regardless of whether the actual processing takes place in the EU/EEA or not;
  • where businesses and organisations that are not established in the EU/EEA process personal data about EU data subjects in relation to either (a) the offering of goods or services to them, irrespective of whether payment is required or (b) the monitoring of their behaviour within the EU/EEA.

The same territorial scope applies for both processors and controllers. Therefore, data processors who handle the data of EU data subjects within the above scope will (a) have direct obligations as processors under the GDPR; (b) be bound by mandatory data processing provisions within their contract with the controller (or processor, if they are a sub-processor) as required under Article 28, GDPR; and (c) if located outside the EU/EEA, these processors and sub-processors may (depending on whether or not they are located in a “white-listed” jurisdiction for EU purposes) also have to comply with specific further safeguards such as the contractual provisions within the EU approved standard contractual clauses or (for the US) requirements of the Privacy Shield certification regime, if relevant.

The European Data Protection Board (EDPB) has published guidelines on the territorial scope of the GDPR and adopted a final version of the guidelines in November 2019 following public consultation. Our flowchart attempts to distil this guidance into an easy-to-apply format. For multinational groups, the flowchart ought to be considered for each separate entity being assessed.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP