General Data Protection Regulation
Codes of Conduct
- Code of Conduct
Regulation of the Data Protection Authority on the Requirements for a Body for Monitoring Compliance with the Code of Conduct (only available in German here)
Page 37 of Guidance on the GDPR (only available in German here)
The Belgian Data Protection Authority has issued guidance regarding the use of codes of conduct. The press release is available in French here and in Dutch here, the guidance in French here and in Dutch here.
To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform
The following GDPR templates and checklists have been issued by data protection authorities across Europe, and represent a sample across key compliance areas, including Data Protection Impact Assessments, Records of Processing Activities and Contracts.
For a full list of GDPR templates and checklists, you can access our Hub here. You can also visit our 'National Resources' tab for templates, checklists and guidelines on other topics.
Data Protection Impact Assessment
- EU - WP29 Criteria for an Acceptable DPIA Checklist
- France - PIA Tool
- France - PIA Templates
- Spain - DPIA Template (in Spanish)
- UK - Sample DPIA Template
- UK - DPIA Checklist
Records of Processing Activities
- France - Record of Data Processing Activities Template (in French)
- Belgium - Record of Data Processing Activities (in French)
- Belgium - Record of Data Processing Activities (in Dutch)
- Germany - Record of Processing Activities for Controllers Template (in German)
- Germany - Record of Processing Activities for Processors Template (in German)
- Spain - Record of Processing Activities Template (in Spanish)
- UK - Documentation for Controllers Template
- UK - Documentation for Processors Template
- Denmark - Data Processing Agreement Template (in Danish)
- Denmark - Joint Controllership Data Responsibility Agreement Template (in Danish)
- Iceland - GDPR Data Processing Contract Template (in Icelandic)
- Malta - Sample Controller-Processor Template
- UK - Contracts Checklist
- UK - Standard Contractual Clauses for Controller to Controller Transfer Template
- UK - Standard Contractual Clauses for Controller to Processor Transfer Template
- Germany - Model Controller Processor Agreement
- There is a requirement/variation in place.
- Click to view information for additional detail.
- There is no requirement/variation in place.
- National Law
- Notification Requirements
- National Variation of Data Subject Rights
- Right of information
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Automated decision-making
- Additional national variations
- Children's data
- Processing of special categories of data
- Breach notification
- Scientific, Historical, Statistical processing
To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform
This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:
- Definitions and legal basis
Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.
Definitions and Legal Basis Benchmark
- Personal data
- Controller and processor
- Legal Basis
To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform
- Right to deletion
- Right to be informed
- Right to object
- Right to access
- Right not to be subject to discrimination
- Right to data portability
One of the main aims of the General Data Protection Regulation ('GDPR') is to ensure a consistent and homogeneous application of protection of natural persons with respect to personal data within the European Union. The GDPR also includes a number of provisions which permit Member States to introduce derogations or specific rules and conditions to regulate data protection at a national level. DataGuidance will continue to monitor potential national variations as they occur.
The GDPR significantly amends the current legal framework by harmonising the enforcement powers of the data protection authorities ('DPAs') and by reinforcing the powers of the DPAs. Under the GDPR, DPAs may impose administrative fines for violations of the GDPR that are 'effective, proportionate and dissuasive.' When deciding whether to impose a fine and the amount of the fine, the DPA must take into account a number of factors, including: the nature, gravity and duration of the infringement; the nature of the processing; the number of data subjects affected; whether the infringement was intentional or negligent; and what action (if any) has been taken to mitigate the damage caused to individuals.
The GDPR sets out two levels of fines: Level 1 fines of up to €10,000,000 or (for undertakings) 2% of total worldwide annual turnover (whichever is the greatest), and Level 2 fines of up to €20,000,000 or (for undertakings) 4% of total worldwide annual turnover (whichever is the greatest). You can read the full list of infringements for both levels below and read our note on Enforcement.
Level 1 Fines
|Administrative fines of up to: €10,000,000,
or (where an undertaking) 2% of total worldwide annual turnover of the preceding financial year whichever is higher
|Infringment of the following provisions||Detail|
|Obligations of the controller and processor|
|Article 8||This relates to the requirement to make reasonable efforts to obtain and verify consent from the holder of parental responsibility where information society services are provided directly to a child below the age of 16.|
|Article 11||This establishes that controllers do not need to take steps to identify a data subject (where not currently identified) in order to comply with the GDPR. There is no need to comply with certain data subject rights, unless new information allows the data subject to be identified.|
|Article 25||This relates to the requirement to implement data protection by design and by default in order to integrate necessary safeguards into the processing of personal data and protect the rights of data subjects.|
|Article 26||This establishes that where there are joint controllers they must have an arrangement setting out their respective responsibilities.|
|Article 27||This requires controllers of processors not established in the Union to designate in writing a representative in the Union.|
|Article 28||This relates to processing by a processor, the obligations of the processor, the requirement to govern the processing by a contract, the instruction of a sub-processor etc.|
|Article 29||This requires those processing data under the authority of the controller of processor to only process the data in accordance with the controller's instructions.|
|Article 30||This requires the controller and each processor to maintain a detailed record of the processing that is taking place and to make such record available to the supervisory authority on request.|
|Article 31||This requires the controller and processor to co-operate with the supervisory authority.|
|Article 32||This requires the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing.|
|Article 33||This relates to the notification of a personal data breach to the supervisory authority (timeframe for the notification, what the notification should include etc.) and the obligation for processors to notify the controller without undue delay after becoming aware of the breach.|
|Article 34||This relates to the communication of a personal data breach to the data subject, timeframe for the communication, what the communication should include etc.|
|Article 35||This relates to the requirement upon the controller to carry out a data protection impact assessment prior to processing which is likely to result in a high risk for the rights and freedoms of individuals and explains where this is likely to be the case.|
|Article 36||This relates to the requirement upon the controller to consult the supervisory authority where the data protection impact assessment indicated that the processing is high risk in the absence of measures taken by the controller to mitigate the risk.|
|Article 37||This establishes when the controller and the processor will be required to designate a data protection officer.|
|Article 38||This establishes how the role of data protection officer should be set up at the controller or processor.|
|Article 39||This establishes the tasks of the data protection officer.|
|Obligations of the certification body|
|Article 42||This explains that data protection certification mechanisms, seals and marks may be established and the steps the controller or processor must take where they decide to voluntarily sign up to this type of mechanism.|
|Article 43||This explains the requirements for accreditation of certification bodies.|
|Obligations of the monitoring|
|Article 41(4)||This explains that a body (established to monitor compliance with a code of conduct) shall take appropriate action in cases of infringement of a code by a controller of processor.|
Level 2 Fines
|Administrative fines of up to: €20,000,000,
or (where an undertaking) 4% of total worldwide annual turnover of the preceding financial year whichever is higher
|Infringment of the following provisions||Detail|
|The basic principles for processing, including conditions for consent|
|Article 5||This establishes the principles for personal data processing, including: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.|
|Article 6||This sets out the conditions, one (at least) of which must be met, to ensure lawful processing. These relate to: consent; performance of a contract; compliance with a legal obligation; vital interests of the data subject; performance of a task in the public interest or exercise of official authority; and legitimate interests, where not overridden by the interests of the data subject.|
|Article 7||This establishes the conditions for obtaining valid consent.|
|Article 9||This establishes that the processing of special categories of personal data (race/ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life data) is prohibited unless certain conditions are met.|
|The data subjects' rights|
|Article 12||This requires the controller to take appropriate measures to provide certain information to the data subject regarding the rights of the data subject.|
|Article 13||This relates to the requirement on the controller to provide certain information to the data subject at the time his/her data is collected.|
|Article 14||This relates to the requirement on the controller to provide certain information to the data subject where the data has not been obtained from the data subject.|
|Article 15||This sets out the right of the data subject to access his/her data and obtain certain information relating to the processing.|
|Article 16||This sets out the right of the data subject to obtain rectification of personal data which is inaccurate.|
|Article 17||This sets out the right of the data subject to erasure of his/her data where certain conditions apply.|
|Article 18||This sets out the right of the data subject to obtain the restriction of the processing of his/her personal data in certain circumstances.|
|Article 19||This explains the requirement upon the controller to communicate any rectification, erasure or restriction of processing to the recipients of the data, where possible.|
|Article 20||This sets out the right of the data subject to data portability, i.e. to transmit their data from one controller to another in certain circumstances.|
|Article 21||This sets out the right of the data subject to object to the processing of personal data in certain circumstances.|
|Article 22||This sets out the right of the data subject to not be subject to a decision based solely on automated processing, e.g. profiling in certain circumstances.|
|The transfers of personal data to a recipient in a third country or an international organisation|
|Article 44||This explains that the provisions relating to the transfer of data to a third country or an international organisation set out in Chapter V must be applied with to ensure an appropriate level of protection for individuals.|
|Article 45||This explains that a transfer of data to a third country or an international organisation may take place where the Commission considers there to be an adequate level of protection in place, explains the basis on which the Commission may decide there is an adequate level of protection and the obligations of the Commission in this respect.|
|Article 46||This establishes that where there is no relevant Commission decision, a controller or processor may transfer personal data to a third country or an international organisation if: appropriate safeguards have been put in place; and enforceable data subject rights and effective legal remedies are available.|
|Article 47||This establishes when a supervisory authority may approve binding corporate rules and what should be specified in the binding corporate rules.|
|Article 48||This explains when transfers or disclosures not authorised by Union law may be recognised or enforceable.|
|Article 49||This establishes derogations, when data may be transferred to a third country or an international organisation in the absence of an adequacy decision or appropriate safeguards.|
|Any obligations pursuant to Member States laws adopted under Chapter IX|
|Article 85||This allows Member States to, by law, reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic, academic, artistic or literary purposes.|
|Article 86||This relates to the disclosure of personal data in official documents for the performance of a task carried out in the public interest|
|Article 87||This relates to the processing of a national identification number or similar identifier.|
|Article 88||This allows Member States to, by law or by collective agreements, provide for more specific rules to ensure the protection of employees' personal data in the employment context.|
|Article 89||This provides for safeguards and derogations for the processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.|
|Article 90||This allows Member States to adopt specific rules in relation to obligations of secrecy.|
|Article 91||This relates to existing data protection rules of churches and religious associations.|
|Article 58||This relates to non-compliance with the various powers of the supervisory authorities.|
The General Data Protection Regulation (Regulation 2016/679) ('GDPR') broadens the scope of application of EU data protection law compared to the Data Protection Directive (95/46/EC) ('the Directive') by:
- expanding the territorial scope of application to include controllers that are established outside the EU; and
- placing direct statutory obligations on data processors.
2. TERRITORIAL SCOPE
2.1. Relevant GDPR provisions
Article 3(1) of the GDPR establishes that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU.
The EU currently consists of the following Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
In addition, Article 3(2) of the GDPR extends the territorial scope of the GDPR, establishing that it also applies to the processing activities concerning data subjects who are in the EU by a controller or processor not established in the EU in certain cases, namely when where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR does not specify that data subjects must be either EU nationals or that they must reside in the EU. The choice of the term 'who are in the EU' implies that the scope of the GDPR must be interpreted broadly to apply to all individuals, including those who may be temporarily residing in the EU.
'In order to determine whether a processing activity can be considered to 'monitor the behaviour' of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.'
More specifically, the fact that this provision applies regardless of whether a payment is required by the data subject clearly shows that the scope of this provision is not limited to e-commerce activities, and on the contrary, it must be interpreted broadly to mean any form of online processing where an individual's, or group of individuals' behaviour is being tracked, analysed, or profiled.
Finally, the GDPR applies to processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
Recitals (22) and (23) of the GDPR provide further guidance regarding the above. In particular, they state:
'(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.'
Recital (80) of the GDPR further notes that:
'Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.'
2.2. Case law
Two judgments of the Court of Justice of the European Union ('CJEU') introduced expansive interpretations of some previous provisions of the Directive, in particular regarding the meaning of the terms 'in the context of the activities' and 'establishment':
- In Spain SL and Google Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) of 13 May 2014 ('Google Spain'), the CJEU held that 'in the context of the activities' does not mean 'carried out by.' The data processing activities by Google Inc were 'inextricably linked' with Google Spain's activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out 'in the context of the activities' of a controller's branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State; and
- In Weltimmo s.r.o. v. Nemzeti Adatvédelmi es Informacioszabadsag Hatosag (C-230/14) of 1 October 2015 ('Weltimmo'), the CJEU held that the definition of 'establishment' is flexible and departs from a formalistic approach that an 'establishment' exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled with websites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State's law.
2.3. Regulatory guidance
Accordingly, EU privacy regulators tend to take an expansive interpretation of the applicable law rules. For instance, on 16 December 2015, the Article 29 Data Protection Working Party ('WP 29') updated its Opinion 8/2010 on Applicable Law ('the Applicable Law Opinion') following the Google Spain case and adopted the 'inextricable link' test. According to the Applicable Law Opinion:
- EU law will apply to data processing activities conducted by a foreign controller established outside the EU which has a 'relevant' establishment whose activities are 'inextricably linked' to the processing of personal data; and
- for companies that have a designated 'EU headquarter' (acting as a controller) but have other 'relevant establishments' in other Member States and those activities are 'inextricably linked' to the data processing activities (e.g. to promote and sell advertisement space, raise revenues or carry out other activities), the national laws of the Member States in which such establishments are established will also apply.
The European Data Protection Board ('EDPB'), which replaced the WP29, issued its Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) ('the Article 3 Guidelines'), aimed at ensuring a consistent application of the GDPR in assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework, and to verify controllers and processors to assess whether they need to comply with the GDPR for a given processing activity.
In addition, the WP29 adopted its Guidelines for Identifying a Controller or Processor's Lead Supervisory Authority to assist controllers or processor that carry out cross-border processing of personal data, which have been later adopted by the newly established EDPB.
Furthermore, the WP29 analysed the concepts of controller and processor in its Opinion 1/2010 on the Concepts of 'Controller' and 'Processor', though this was produced in line with the Directive.
Where a controller or processor is not established in the EU, it must designate (in writing) a legal representative in the EU (Article 27 of the GDPR), except where the processing is occasional and
- does not include large scale processing of special categories of data;
- does not relate to criminal convictions and offences; or
- is unlikely to result in a risk to the rights and freedoms of individuals.
This representative must be established in one of the EU Member States in which the data subjects are located. The representative must receive a mandate from the controller or the processor to address any issues relating to the processing of personal data that arises from either a national supervisory authority or the data subjects. The fact that this representation must be made in writing will require entities within the same group of companies to assess which EU affiliate is best suited to represent the controller or processor outside the EU and to sign an agreement establishing the role and responsibilities of the EU representative, including any contractual sanctions in case it fails to comply with the GDPR.
The function of representative in the EU can be assumed by a wide range of commercial and non-commercial entities, such as, among others, law firms, consultancies, and private companies, provided that such entities are established in the EU. A single representative can also act on behalf of several non-EU controllers and processors (Section 4(a) of the Article 3 Guidelines).
GDPR and non-EU Jurisdictions
The EEA Joint Committee adopted, on 6 July 2018, Decision No 154/2018 Amending Annex XI (Electronic Communication, Audiovisual Services and Information Society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement ('the Decision'), incorporating the GDPR into the EEA Agreement. Furthermore, the Decision provides that the supervisory authorities of the European Free Trade Association ('EFTA') states will participate fully in the one-stop-shop and the consistency mechanism. Iceland, Norway, and Liechtenstein are contracting parties to the EEA Agreement.
- Norway: Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here);
- Iceland: Act 90/2018 on Privacy and Processing of Personal Data (only available in Icelandic here); and
- Liechtenstein: Data Protection Act (DSG) of 4 October 2018 (only available in German here) and Data Protection Ordinance (DSV) of 11 December 2018 (only available in German here) .
In addition, the EEA Agreement applies to Gibraltar (see the Chief Legal Advisor of the Government of Gibraltar, Michael Llamas, opinion). In regard to the GDPR, the Gibraltar Regulatory Authority stated, 'As an EU regulation, the GDPR will not generally require transposition (EU regulations have 'direct effect') and will automatically become law in Gibraltar' (page 1 of the Guidance on the General Data Protection Regulation: (1) Getting started).
2. Other non-EU jurisdictions
Non-EU jurisdictions that have passed legislation to align with the GDPR:
- Guernsey: The Data Protection (Bailiwick of Guernsey) Law, 2017 and The Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018;
- Jersey: Data Protection (Jersey) Law 2018 and Data Protection Authority (Jersey) Law 2018;
- Isle of Man: The Data Protection Act 2018. Additionally, the Data Protection (Implementation of GDPR) Order 2018 ('the GDPR Order') and the Data Protection (Implementation of LED) Order 2018 ('the LED Order') were approved by the Parliament; and
- San Marino: Law No. 171 of 21 December 2018, Protection of Natural Persons with Regard to the Processing of Personal Data.
Other jurisdictions are currently in the process of modernising their local data protection laws to include requirements similar to those under the GDPR. These include Moldova, Serbia, Switzerland and Kosovo.
3. Outermost Regions
With regards to the so-called 'outermost regions,' which comprise nine territories, namely Guadeloupe, La Réunion, Mayotte, French Guiana, Martinique, Saint-Martin, Madeira, Azores, and Canary Islands, the Fact Sheet on the European Union, Outermost Regions, released by the European Parliament, reads:
'Regardless of the great distance separating them from the European continent, the outermost regions are an integral part of the EU, and the acquis communautaire is fully applicable in their territory. However, owing to their specific geographical location and the related difficulties, EU policies have had to be adjusted to their special situation.'
In addition, the French data protection authority issued, on 4 July 2019, its clarifications on the application of the GDPR overseas (only available in French here; see also Title V of Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) ('the Act')).
OneTrust DataGuidance confirmed with Sonia Cissé and Jean Fau, Counsel and Associate, respectively, at Linklaters LLP that:
- "For French Polynesia, New Caledonia, Wallis and Futuna, French Southern and Antarctic Lands, Saint-Pierre-et-Miquelon, and Saint-Barthélemy, the Act has applied as last amended by Law No. 2018-493 of 20 June 2018 on the Protection of Personal Data Ordinance n°2018-1125 of 12 December 2018, since 1 June 2019. However, the GDPR does not apply in these communities, unless this law expressly provides for this, for example with respect to consent or rules to be followed by subcontractors. Where the Act refers to it, such references will be replaced by the rules applicable on the mainland pursuant to the GDPR;
- For Wallis and Futuna, French Polynesia, New Caledonia and for French Southern and Antarctic Lands, the GDPR does not apply, and the Act only applies in its version prior to 25 May 2018; and
- For overseas departments and regions countries and territories (Réunion, Guadeloupe, Martinique, French Guiana, and Mayotte) and for the overseas collectivity of Saint-Martin, the GDPR and the Act, as amended, apply in full."
4. Overseas Countries and Territories
Annex II of the Treaty on the Functioning of the European Union ('TFEU') lists the so-called overseas countries and territories ('OCTs'), which form the Association of Overseas Countries and Territories of the European Union that is regulated under Part IV of the TFEU.
The list comprises the following: Greenland, New Caledonia and Dependencies, French Polynesia, French Southern and Antarctic Territories, Wallis and Futuna Islands, Mayotte, Saint Pierre and Miquelon, Aruba, Netherlands Antilles (Bonaire, Curaçao, Saba, Sint Eustatius, and Sint Maarten), Anguilla, Cayman Islands, Falkland Islands, South Georgia and the South Sandwich Islands, Montserrat, Pitcairn, Saint Helena and Dependencies, British Antarctic Territory, British Indian Ocean Territory, Turks and Caicos Islands, British Virgin Islands, and Bermuda.
The acquis communautaire applicable to OCTs appears to be listed in this page.
The practical effect is that many organisations who until now were outside the scope of application of EU data protection law, are directly subject to its requirements, for example if they are EU-based processors or non EU-based controllers or processors who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR requires them to significantly change their legal and cultural approach to EU data protection compliance. Perhaps the biggest change affecting controllers and processors who are not established in the EU but collect and process data on individuals in the EU through websites, cookies, and other tracking technologies, which are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, and analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.
As a general rule, all companies must assess their level of awareness of, and readiness for compliance with, EU data protection law and create a road map for transitioning towards compliance with the GDPR. In some cases, this may require appointing a representative in the EU, and therefore, setting up the contractual terms for such designation. In addition:
- businesses should audit their data processing activities in order to understand and assess on what legal grounds they may collect and use such data;
- controllers who are not established in the EU must assess whether their online or other data processing activities fall within the scope of the GDPR, regardless of whether they use EU-based data processor;
- EU based processors and non-EU based processors who process personal data on behalf of an EU-based controller must assess whether the GDPR applies to their activities and what compliance measures they need to implement; and
- multinational businesses with operations in the EU and their non-EU affiliates which are caught by the GDPR will also need to consider how to frame their intra-group relations, the respective roles of each group company as a controller or processor within the group, and how to frame their intra-group data transfers.
Businesses which fail to address these issues face a significant risk of breaching the provisions of the GDPR and are likely to be viewed by EU privacy regulators as having breached the GDPR in a 'deliberate' or 'negligent' fashion.
The GDPR introduces significant sanctions, including mandatory regulatory audits, a right to compensation for data subjects who suffer material or immaterial damage and regulatory enforcement action including fines of up to €20,000,000 or 4% of the total worldwide annual turnover for the previous financial year (whichever is higher) (see the Enforcement and Breach Tracker for more detail).
The GDPR does not specifically state which fining band applies to failures to comply with the GDPR's provisions on the territorial scope of the GDPR (Article 3 of the GDPR). However, it is fair to assume that if a company which ought to comply with the GDPR fails to do so (e.g. either because it did not consider whether the GDPR applies to it at all or it misapplied the tests and reached the wrong conclusion), it may find itself to be in violation of several provisions of the GDPR. The GDPR provides that if a controller or processor intentionally or negligently violates several provisions of the GDPR, the total amount of the fine will not exceed that specified for the gravest violation (Article 84 of the GDPR). This could mean that such companies may face a fine in the higher fining band of €20,000,000 or 4% of the total worldwide annual turnover for the previous financial year (whichever is higher) (Article 84 of the GDPR).