POSTS

GDPR is not just for EU Citizens!

Never before in history have people been better informed about the introduction of a new law than in 2018 when the General Data Protection Regulation (GDPR) came into effect.

Most of us were bombarded by emails from large and small companies alike requesting our consent to continue to use our personal data and we have seen no end of articles on the web about what the new legislation requires from businesses as well as our rights as data subjects under the new GDPR. However, many of them contain a serious error.

The territorial scope of GDPR is vast and the monetary fines for non-compliance are significant enough to make even the tech giants like Google, Facebook and Amazon care about this new legislation.

So what is the common misconception about the scope of GDPR?

That “GDPR applies to collection and/or processing of personal data of EU citizens”

Nowhere in the General Data Protection Regulation have the lawmakers used the term “EU citizen”.

So to save you some time, here is the exact text from the GDPR:

“ 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

  1. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union

  1. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

In summary, GDPR applies to you if you process personal data and:

You have an establishment in the EU.

You are not established in the EU but some of your data subjects are in the EU. You are not in the EU but are established in a place where a member state law applies, such as a diplomatic mission.

See? No mention of EU citizens!