Where does the GDPR apply?

The GDPR makes a number of important changes to the existing data protection framework. One of the most important is its expanded territorial scope. Under the GDPR, the location of the individual whose data is being processed is a key factor, whereas the existing EU Data Protection Directive is more concerned with the location of the processing.

In practical terms, this means that the GDPR will now apply to organizations based outside the EU that offer goods and services to, or monitor the behavior of, EU-based individuals. For example, a US-based retailer selling goods or services to EU-based customers and processing their data in the US could now find that they fall within scope of the GDPR.

This expansion of scope was set out as one of the main objectives of the GDPR and was designed to harmonize the regime for organizations established inside and outside the EU.

If your organization is based in the EU and is using service providers who process personal data outside of the EU, you should assess their arrangements for compliance with the GDPR before May 2018. For further information on how you can work with suppliers to prepare for GDPR see this post on working with suppliers.

While the GDPR extends the protection of personal data outside of the EU, it does not affect the means by which personal data may legally be moved abroad. Transfers of personal data outside of the EU are based on mechanisms designed to afford adequate levels of protection to that data in the country it is transferred to. There are a number of legal mechanisms currently in use for such international transfers including EU adequacy rulings, model contract clauses, and the EU-US Privacy Shield to transfer personal data from the EU to the US. The GDPR also allows for additional mechanisms to be developed in future. You can find further information on existing adequacy agreements and examples of model contract clauses on the European Commission website.

In short, the GDPR aims to give EU residents peace of mind that their personal data is protected. More information on the GDPR is available from your national or lead data protection authority as applicable under the GDPR, and from data privacy associations such as the International Association of Privacy Professionals (IAPP).