GDPR: Who does the data protection law apply to?
The law applies to:
1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. A company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU
If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer (‘DPO’)). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.
The EU have produced an online tool of fact sheets for GDPR, to see the full list of information, click here
Details consist of:
- Application of the regulation
- Principles of the GDPR
- Legal grounds for processing data
- Dealing with Citizens
- Enforcement and sanctions
- Public administrations and data protection