Who does GDPR apply to?

If you operate an online business, you must have asked, “Does the GDPR apply to my business?” at least once.

The European Union’s most famous law affects many businesses around the globe, no matter where they are founded or where their users come from.

The European Economic Area (EEA) and EU candidate countries have also aligned their national legislation with this law. Many other countries followed its standards, including Brazil, the UAE, Thailand, China, and others.

Non-compliance with the law leads to trouble with the supervisory authorities and hefty GDPR penalties you want to avoid. That’s why you need to learn more about the GDPR, and learning whether it applies to your business is a good place to start.

Does the GDPR apply to your business?

To determine if you should be worried about the EU data protection law, first, we need to explain the scope of the law. The GDPR has its material and territorial scope.

GDPR: Material Scope

GDPR applies to the processing of personal data of individuals. Personal data is any information that could identify a natural person, directly or indirectly. That includes personal names, email addresses, phone numbers, biometric data, and online identifiers such as IP addresses, browsing behavior, etc.

Also, the GDPR doesn’t cover personal data used for personal or household activities, like when friends trade phone numbers.

Assuming that you process personal data for commercial purposes, then such data falls under the scope of the GDPR. The law may apply if your business also falls under its territorial scope.

GDPR: Territorial Scope

The GDPR applies to persons and businesses:

• From an EU member state. This includes all EU-incorporated businesses as well as individuals from an EU country.
• That controls and/or processes the personal data of EU citizens. As long as the data subjects are in the European Union, it doesn’t matter where the data controller and data processor are from. The General Data Protection Regulation (GDPR) applies to companies outside the EU offering goods and services (paid or free) or those that monitor the behavior of individuals within the region. This includes all the foreign businesses that collect and process data of EU citizens. For example, a US social media company that collects and processes the personal data of EU citizens has to comply with the GDPR when processing their data.

Simply put:

• If you are an EU business, GDPR applies to you at all times, and
• If you are a non-EU business, GDPR applies when interacting with EU residents.

To put it in a specific context:

• EU business + EU users = GDPR applies at all times
• EU business + non-EU users = GDPR applies at all times
• EU business + EU and non-EU users = GDPR applies at all times
• Non-EU business + EU users = GDPR applies at all times
• Non-EU business + non-EU users = GDPR does not apply
• Non-EU business + EU and non-EU users = GDPR applies only to the processing of EU users’ data

If you learn better through examples, here are a few:

• A German e-commerce store sells clothes in the EU and the US. Germany is an EU member state, so the GDPRapplies to the data processing by all German companies. As a result, GDPR applies at all times.
• A hotel in Turkey advertises on social media for Turkish and EU citizens. The GDPR does not apply to the data collection and processing of Turkish citizens, but it does apply to the processing of the data of EU residents.
• An e-commerce store from Brazil sells products only to US and Canadian customers. The GDPR does not apply because no one is from the EU.
• A SAAS company from France sells software exclusively in the United States. The GDPR applies at all times because it applies to the processing of data by French companies. The fact that all the users are from the US doesn’t make any difference.

Again, the GDPR applies if at least one person in the data processing relationship comes from Europe.

Does GDPR apply to small and medium-sized businesses?

Yes, it does, as long as you meet the above-mentioned GDPR requirements. The GDPR does not discriminate based on business size. It applies to personal data processing, not business processing.

Some GDPR duties apply only to businesses of a certain size or businesses with specific data processing activities, but generally, GDPR compliance is a requirement for all.

For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing personal data is a regular activity, threatens personal data, threatens individuals’ rights and freedoms, concerns sensitive data, or concerns criminal records.

Similarly, SMEs will only be required to appoint a data protection officer (DPO) if the processing is their primary business and poses specific threats to individuals’ rights and freedoms (such as monitoring of individuals or the processing of sensitive data or criminal records) on a large scale.

Read more about how to make your business GDPR-compliant.

As a startup, it is also crucial to understand the GDPR and comply with its requirements to avoid significant fines and negative publicity. Read about GDPR requirements and the steps startups need to take to become GDPR compliant.

Does the GDPR apply to UK companies?

The United Kingdom is not an EU country; therefore, GDPR is not applicable in the UK. However, UK businesses need to comply with it anyway when processing the personal data of EU citizens. GDPR applies to any company worldwide when it collects and processes data about EU citizens. This includes companies based in the United Kingdom.

Moreover, UK companies must comply with the UK GDPR law. This law was introduced to align the data protection requirements for UK and EU companies after Brexit. Take a look at this UK GDPR checklist for businesses.

There are barely any differences between the GDPR and the UK GDPR; therefore, if you comply with the GDPR, you are likely to comply with UK data privacy laws.

Does the GDPR apply to US companies?

The GDPR applies to US businesses that process the personal data of EU citizens. It applies to you even if you process data for at least one EU citizen.

However, it applies only to your relationship with the EU user. You must respect their GDPR data privacy rights, but this does not obligate you to follow the GDPR when processing data from US citizens. When a US company processes US citizens’ or non-EU citizens’ data, the GDPR does not apply to them.

How to comply with the General Data Protection Regulation of the EU

GDPR compliance requires some effort by companies, but it is easier than many think. It all comes down to implementing GDPR’s basic principles in your privacy practices, honoring data subject requests, and implementing safeguards for data security to protect customer data. That’s most of the work you need to do to avoid issues with data protection authorities.