GDPR Applies To

The General Data Protection Regulation (GDPR) is a globally applicable data privacy law that protects consumers in European Union (EU) countries. Every business or organization in the world that markets to or processes data about people in the EU must comply with the GDPR or face severe fines.

This article will discuss the territorial scope of the regulation. We will include detailed examples to help you understand the GDPR and its reach, whether it applies to your business, and, if so, how to comply with its general requirements.

What is the GDPR?

The GDPR is a worldwide privacy law that provides data security and behavior monitoring protection for consumers in the EU. Every commercial enterprise or organization located anywhere in the world that processes the personal data of consumers in the EU or monitors their behavior must comply with the GDPR.

Since fines for non-compliance with the GDPR can be drastic, it is important for you to know whether or not GDPR requirements apply to your business.

Who Does the GDPR Apply To?

The GDPR applies to all businesses and organizations located in any country in the world that processes personal data and/or monitors the behavior of people in the EU, or provides them free or paid goods or services.

Companies Processing Data For Their EU Branch

As Access Tufts at Tufts University asserts, even though the United Kingdom (UK) became separate from the EU in 2021, and the European Economic Area (EEA) GDPR no longer applies there, the UK GDPR does.

So just like personal data processing businesses or commercial organizations anywhere else in the world, the UK must still comply with all GDPR requirements if their data processing includes business activities established in an EU member country.

Outside EU Companies That Monitor to or Supply the EU

Businesses and commercial enterprises with no branches, divisions, or company ties to any EU countries must still comply with the GDPR if they either provide goods or services to the EU or monitor the behavior of EU residents.

As the Trade Commissioner of the Government of Canada informs:

"The GDPR applies to all companies handling the personal data of EU residents."

If you are monitoring the behavior of residents of any EU country, whether directly - such as tracking sales or subscriptions through a name and shipping address - or indirectly through cookies that collect IP address information or track which web pages site visitors linger on, your business must comply with the GDPR.

Company Circumstances Not Requiring GDPR Compliance

If your target audience does not include people from the EU, but your customers travel to the EU and use your product or service there, the GDPR does not apply to your company.

Remember that if you handle any kind of data from residents of the EU then you are required to comply with the GDPR. If your organization directly or indirectly does not process data from EU residents, then you are not required to follow the GDPR.

It should also be noted that individuals processing information purely for individual private use - such as gathering names and contact information of EU residents such as family located in the EU for an upcoming reunion - are not required to comply with the GDPR.

GDPR Applicability With Continental Privacy Laws

Since the GDPR is global in scope, it overrides your nation's data privacy and security laws where EU residents are involved, no matter your continent and country. Looking at how continental privacy laws and world trade regulations work within the worldwide applicability of the GDPR can add deeper context in answering the question, "Who does the GDPR apply to?":

Africa

Brian Daigle of the Journal of International Commerce and Economics, published by the United States International Trade Commission, notes that at least 20 African countries still have no data protection laws but are subject to compliance with the GDPR.

He adds that most of Africa's existing data protection laws likely stem from "...the EU Data Protection Directive, which preceded GDPR."

Asia

Europe is a major trading partner with the Association of Southeast Asian Nations (ASEAN). Some Asian countries, such as Malaysia, still do not currently have mandatory data protection laws, and privacy laws in other parts of the continent may be mild. Yet the strict GDPR laws are well-followed in Asia, as Financier Worldwide reveals.

Australia

The Australian Government Productivity Commission points out that the GDPR focus on consumer privacy protection for EU residents has influenced data security laws in Australia. Assets such as health records are better protected under strict laws to provide Australians with added security.

Europe

The European Commission reported that after two years of the GDPR's enactment in the EU, the GDPR could be called an "overall success" due to its facilitation of:

"...safe data flows, to the benefit of citizens and businesses alike."

The report also mentioned the need to keep up with international technology and keep future legislation in privacy regulations consistent across the EU.

North America

Philip Higginbotham of Business Chief reminds North American businesspeople to avoid potential heavy fines for GDPR non-compliance by looking at their non-obvious sources of EU involvement - such as in supply chain software.

He also reminds companies that processed personal data does not have to include a name but can be a photo or a social media post.

South America

Financier Worldwide notes that the 2018 enactment of the GDPR saw increased data privacy and cyber security regulations throughout Latin America - especially "countries such as Brazil, Chile, Argentina, and Columbia."

The GDPR creates strict standards for businesses around the world that process or monitor the personal information of EU consumers, and holds high penalties for non-compliance.

How to Know if the GDPR Applies to You

When determining if the GDPR applies to you, ask whether your business processes data from people in the EU, or targets such individuals.

The GDPR applies to businesses that are either located in the EU, or direct business activities towards the EU.

Remember to consider non-direct targeting possibilities, so if your website does track visitors from EU countries, the GDPR may apply to you.

Business Activities Requiring GDPR Compliance

  • You offer free services or products worldwide on your website, and at least some of your advertising is targeted at people in EU countries.
  • People from the EU agree to accept cookies on your website that track their device info and behavior on your pages about European sports.
  • You sell handmade jewelry from anywhere in the world to anywhere in the world - and you include pricing in Euros in your ad copy.
  • Your U.S. travel website provides information and bookings for people from the EU wanting to go to the U.S.

Business Activities That do not Require GDPR Compliance

  • You have a local American business that sells pizza locally only - including the orders placed through your website for pick-up.
  • You have a college information website targeting American transfer students only. You may occasionally get people from other countries stumbling in, but you do not directly or indirectly collect any data with cookies or other tools.

Real-World Business Examples of GDPR Applicability

For more clarification on which businesses have to comply with the GDPR and which do not, here is a deeper look at specific businesses in different world locales.

The U.S. Nebraska-based plant nursery company, NatureHills.com, sells a wide range of trees, shrubs, and flowers online. This business only sells to buyers in the contiguous United States with all of its products organized by U.S. growing zones, so it is not GDPR applicable.

Moving now to a European-based business, Europe Translations is a European languages translation company located in Belgium. As its website clearly shows, it is GDPR applicable as it targets EU clients.

For instance, its web pages market the company's services in languages such as Spanish, German, and Portuguese.

The U.S. California-based clothing company, Fashion Nova, ships products worldwide and mentions specific shipping rates, times, and options for the EU, so it is GDPR applicable:

Screenshot of Fashion Nova Shipping Options Prices and Times

Based in Canada, Knitty.com accepts site users' donated knitting patterns electronically and offers free patterns by download. It does collect email addresses and has a worldwide reach.

Knitty acknowledges that it is GDPR applicable through this text directed to EU residents and their rights in its Privacy Policy:

Knitty Privacy Policy: European Residents Your Rights clause

AEC Parcel Service ships parcels from the United States and Canada to 31 countries and, of course, in providing that service, handles personal information such as sender names, addresses, and payment details.

The AEC website shows that they target shipping customers for 25 of the 27 EU countries (excluding Cyprus and Malta):

AEC Parcel Service Countries list

How to Comply When the GDPR Applies to You

If you have discovered that your business activities involving people in the EU require compliance with GDPR regulations, you will need to pay attention to following these main regulatory aspects.

Specific Reasons for Your Data Processing

There are GDPR-permitted reasons for processing personal data. Unless you can prove that you are processing data under one of these circumstances, you risk penalization under the GDPR if you collect, store, or sell someone's information.

Technical and Organizational Data Protection and Security

The GDPR advises that both technical and organizational measures should be taken to offer the maximum protection and security of personal data. Be sure to enact all security and protection safeguards you can and only give access to staff or others who need the data.

Privacy Rights

Of course, the privacy rights of EU citizens are at the very crux of the GDPR, and workers in your business who handle that personal information must be aware of the full scope of those rights.

Consent

Under the GDPR, your company must always make clear consent forms or boxes for the EU consumer.

Keeping documented evidence of all consent, can help your business stay GDPR compliant.

Accountability

If GDPR compliance is needed by your business, you will have to ensure that the staff and/or any third parties who handle EU data processing follow GDPR requirements. Data collection, processing, and storage processes must all be documented so that your company can prove GDPR compliance.

In creating actionable steps to ensure your business complies with GDPR regulations, make sure you create company procedures and policies that cover the aforementioned areas. To sum up, these are:

  • Having lawful reasons for processing EU residents' personal data
  • Using both technical and organizational data security measures
  • Respecting and listing GDPR data subject privacy rights in your Privacy Policy
  • Asking for, receiving, and retaining clear prior consent for processing the personal information of each EU data subject
  • Documenting all data collection, procession, and storage as proof of your company's compliance with the GDPR

Summary

The GDPR is global in its scope and strict in its enforcement. It protects the data privacy and cyber security of EU residents and also allows them rights in decision-making about how their personal information is processed.

If yours is a company that either directly targets the EU market or monitors its personal information either directly or indirectly, you must comply with GDPR regulations or face severe fines.

Here is an overview of key points to keep in mind about GDPR applicability:

  • Companies anywhere in the world must comply with the GDPR if they either indirectly or directly process the data of EU residents or monitor their behavior.
  • Companies that provide free or paid products and services to EU residents must comply with the GDPR.
  • Companies that target EU consumers - such as by pricing or ads in an EU country language, must follow GDPR guidelines.
  • Staff or third parties who work with the personal data of EU residents must be trained to follow GDPR guidelines.
  • Documentation of EU data subjects' personal information that you or your staff or partners collect, process, and store should serve as proof that GDPR guidelines are followed at all times.