The territorial scope of the new data protection regulation applicable from May 2018 (GDPR) is much wider than the one of the current directive 95/46/CE.
As a consequence, the new data protection rules may apply to any business whether or not it is located within the EU if certain conditions are met.
Below a questionnaire/guidance that should help consider whether or not the GDPR applies to a specific activity. However, given the complexity of some definitions, a detailed analysis of the activities might be necessary to answer accurately some of the questions.
QUESTION 1
Does your company handle personal data* for any reason whatsoever? (e.g. for your business, for third parties business or through a third party)
YES: go to Q2 ;
NO: your business is unlikely to be subject to the GDPR
*personal data is any information enabling to identify an individual whether directly or indirectly, it may concern employees, third parties, customers etc.
QUESTION 2
Do you have an establishment (i.e. office, branch, subsidiaries, headquarter…) located within the EU?
YES: go to Q3 ;
NO: go directly to Q4
QUESTION 3
Are there one or more personal data processing taking place in the context of the activities of your establishment ?
YES: GDPR is very likely to apply to your business ;
NO: go to Q4
(FYI: Given recent cases of the European Court (ECJ), “context of the activities of an establishment” is defined very broadly and the data processing just needs to be linked even indirectly to your EU based establishment’s activities. Therefore and as long as it is related to the establishment’s activities, the data processing can also take place outside of the EU through a subcontractor or a partner etc.)
QUESTION 4
Do you offer good or services to EU citizens (e.g your website targets a european market etc.)?
YES: GDPR is very likely to apply to your business ;
NO: go to Q5
QUESTION 5
Does your business consist of monitoring behaviour of EU citizen located within the EU? (e.g. profiling etc.)
YES: GDPR is very likely to apply to your business ;
NO: go to Q6
QUESTION 6
Do you process personal data on behalf of a third party? (e.g. : hosting services/cloud, IT maintenance, sending of newsletters, payroll etc.)
YES: go to Q7 ;
NO: GDPR is very unlikely to apply to your business
QUESTION 7
Is the third party you process personal data on behalf of subject to the GDPR? (i.e. Would the third party have replied yes to one of the questions 2 to 6 above?)
YES: GDPR is very likely to apply to your business;
NO: GDPR is very unlikely to apply to your business
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France
This post is also available in fr_FR.