DO GDPR AND ARTICLE 27 APPLY TO MY BUSINESS?

 

WE HAVE PREPARED A SERIES OF QUESTIONS, TO HELP YOU ESTABLISH WHETHER GDPR AND ARTICLE 27 APPLY TO YOUR NON-EU ESTABLISHED BUSINESS:

Reference to Articles and Recitals are to those parts of the General Data Protection Regulation (GDPR)

Underlined terms are explained in the text below, and more detailed explanation is available in the GDPR iteslf, a link to which is available in our Resources section

Please be aware that there may be other factors to take into consideration, and that you should take legal advice before drawing any conclusions as to the effect and enforceability of EU law in your particular circumstances and jurisdiction

 

DO YOU CONTROL OR PROCESS THE PERSONAL DATA OF

PEOPLE IN THE EU?

(ARTICLE 3(2) GDPR)

CONTROL: the ability to determine (either alone or with others) the purposes and manner in which any personal data is, or will be, processed (an organisation with this discretion is termed a "DATA CONTROLLER")

PROCESS: any operation performed on personal data, whether directly or by automated means, including: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data on behalf of the data controller (this organisation is termed a "DATA PROCESSOR")

PERSONAL DATA: any information relating to a person (the 'data subject') who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier (e.g. IP address or email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person

PEOPLE IN THE EU: this is not just EU citizens, it includes people of other nationalities in the EU

NO - GDPR does not apply to your business

YES - GDPR may apply to your business, please continue

ARE YOU PROCESSING PERSONAL DATA FOR:

(A) THE OFFERING OF GOODS OR SERVICES, REGARDLESS OF WHETHER PAYMENT IS REQUIRED, TO THOSE PEOPLE IN THE EU; OR

(B) THE MONITORING OF THEIR BEHAVIOUR, IF THAT BEHAVIOUR TAKES PLACE IN THE EU?

(ARTICLE 3(2))

GOODS OR SERVICES: whether a company offers their goods or services in the EU will depend on a number of factors, but if your company aims to, or makes available, sales to the EU (e.g. uses languages or currency particular to the EU) (see also Recital 23)

MONITORING: where persons are tracked on the internet, for example use of personal data in processing techniques which consist of profiling a person in order to take decisions or for analysing / predicting their preferences, behaviours and attitudes (see also Recital 24)

NO - GDPR does not apply to your business

YES - GDPR applies to your business. Please note that this is not affected by where you are located globally. The GDPR carries a number of consequences over and above the need to have an appointed Data Protection Representative in the EU. For further information please contact us at consultancy@dpr.eu.com in respect of GDPR consultancy, and please also feel free to review the materials available in our Resources page.

IF GDPR APPLIES, please continue with the following questions to see if your business requires a Data Protection Representative as a result of Article 27 of GDPR:

ARE YOU ESTABLISHED IN THE EU?

(ARTICLE 3(2))

ESTABLISHED: this requires "the effective and real exercise of activity through stable arrangements", suggesting that a formal base of operations may be required to meet this requirement. It is likely that the ability to have a local contact address would be expected, but not necessarily a full, locally-incorporated, subsidiary company (quotes from Recital 22)

YES - Article 27 does not apply to your business

NO - Article 27 may apply to your business, please continue

IS THE PROCESSING OF PERSONAL DATA UNDERTAKEN IN THE COURSE OF AN ACTIVITY WHICH FALLS OUTSIDE THE SCOPE OF EU LAW? (ARTICLE 2(2)(A))

OUTSIDE THE SCOPE OF EU LAW: this exclusion applies to those areas where individual EU Member States retain control, including issues of fundamental rights and national security (Recital 16). Unless you are aware of a specific exemption, it would be best to assume the relevant activities will fall within the scope of EU law.

YES - Article 27 does not apply to your business

NO - Article 27 may apply to your business, please continue

ARE YOU A PUBLIC AUTHORITY? (ARTICLE 27(2)(B))

PUBLIC AUTHORITY: this will include local and central government, as well as most publicly-funded institutions (education, healthcare, judiciary), but may not extend to private education and healthcare, especially where sensitive data (e.g. medical, religion etc) is being processed. It is not clear whether this could be interpreted on a national basis, according to what is defined as a public authority by that country.

YES - Article 27 does not apply to your business

NO - Article 27 may apply to your business, please continue

DOES THE 'OCCASIONAL' EXEMPTION APPLY?

THE EXEMPTION APPLIES TO OCCASIONAL PROCESSING OF PERSONAL DATA WHICH (A) IS NOT LARGE SCALE PROCESSING OF SENSITIVE DATA OR CRIMINAL OFFENCES AND (B) WHICH IS NOT LIKELY TO RESULT IN A RISK TO THE RIGHTS AND FREEDOMS OF PEOPLE

(ARTICLE 27(2)(A))

OCCASIONAL: this is unclear. In general, where there is uncertainty, the EU courts have favoured the protection of the individuals' rights in respect of their data. A fair guess of how it might be viewed is: 'processing which (a) is more than incidental to the business activities of the data processor, or (b) without which the data processor would suffer a material negative impact in their activities'

LARGE SCALE: processing which could affect a large number of people (potentially not medical and legal data) (Recital 91)

SENSITIVE DATA: "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation" (Article 9(1))

CRIMINAL OFFENCES: information about criminal arrests, convictions and investigations (Article 10)

RISK TO THE RIGHTS AND FREEDOMS: where processing is "carried out systematically on a large scale" (Recital 91) (the "nature, context, scope and purposes of the processing" are considered when deciding if processing occurs on a large scale (Recital 80))

YES, the exemption applies - Article 27 does not apply to your business

NO, the exemption does not apply - Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover (Article 84(4)(a)) 

IF YOUR BUSINESS REQUIRES A DATA PROTECTION REPRESENTATIVE,

DPR CAN PROVIDE THIS SERVICE FOR YOU*, SO THAT YOU NEED NOT INCUR THE EXPENSE OF BECOMING ESTABLISHED IN THE EU

PLEASE PROCEED TO THE DATA PROTECTION REPRESENTATIVE PAGE TO SEE WHAT DPR CAN DO FOR YOU

* Subject to terms and conditions

 

Address

1-2 Marino Mart,

Fairview,
Dublin 3, Ireland

Contact

Follow

©2019 BY DPR