On November 23, 2018, the European Data Protection Board (EDPB) adopted new draft guidelines intended to provide clarity with respect to the territorial scope of the Europe Union's General Data Protection Regulation (GDPR). The highly-anticipated GDPR guidelines provide needed clarification on several key issues, including how the GDPR will be applied to business entities located in different parts of the world, and which businesses will need to appoint a representative in the European Union (EU) to act as a liaison with local supervisory authorities.
Given the severity of the penalties for violations of the GDPR, all US and EU-businesses should closely follow the newly-released guidelines in order to ensure that they are in full compliance with the GDPR.
What Do the New GDPR Guidelines Mean for My Business?
By way of background, the GDPR imposes significant requirements on "data controllers" (business entities that determine the purpose and means of processing personal data) and "data processors" (third party businesses that process data on behalf of data controllers) within the EU, as well as such organizations located outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU.
The guidelines, in part, further clarify which entities are considered within the EU and which entities that, while located outside the EU, are nevertheless subject to the GDPR. In addition, further guidance is provided on the nature of the EU-based representative that non-EU based entities must appoint as a liaison with EU regulators. Below are some highlights contained within the recent GDPR guidelines:
A data controller located outside the EU shall not be deemed to be an EU-based entity merely because that controller's website is accessible in the EU; provided, however, that if even one employee of that data controller works in the EU, that data controller may need to be GDPR compliant if its employee oversees significant business activities and has a long term, stable presence in the EU; A data controller located outside the EU that utilizes an EU-based processor for business activities outside of the EU that do not target EU residents is not subject to the GDPR. However, the EU-based processor in the aforementioned example will be subject to the relevant GDPR provisions that apply to data processors; Where a data controller subject to the GDPR utilizes the services of a data...