Does GDPR concern my business?
The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of that personal data (art. 1 par. 1). But what exactly is ‘personal data’ and what does GDPR mean by ‘processing’?
‘Personal data’ is defined as any information relating to an identified or identifiable natural person, the ‘data subject’ (art. 4 no. 1 GDPR). The GDPR does not deal with data relating to companies or organisations. For example, the fact that somebody is the managing director of a company is personal data of that natural person, but not of the company.
Under the GDPR it is sufficient that the data in question can be related to a natural person with reasonable means in order to assume identifiability. Accordingly, pseudonymous data which could be attributed to a natural person by the use of additional information is considered personal data (recital 26 GDPR). However, if the data is anonymous, the GDPR does not apply. The question will always remain as to whether certain data can be attributed to a natural person. Yet CEOs of companies should be aware that supervisory authorities will usually assume the identifiablity of a natural person behind certain data.
Examples of personal data are as follows: name, surname, email address, tax identification number, location data, IP-address.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4 no. 2 GDPR). In other words, processing personal data means any operation performed on that personal data.
The exception to the above is the processing of personal data by a natural person in the course of a purely personal or household activity. This kind of action does not fall into the material scope of the GDPR (art. 2 no. 2 (b). However, this exception is not applicable if any other activity is involved. For example, if a private address book also contains the contact details of business partners, the processing of personal data is subject to the GDPR.
Yet you might well ask what this has to do with your business if you are based outside the EU? Does the GDPR apply to the processing of personal data by companies and businesses in other parts of the world?
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless as to whether the processing takes place in the Union or not (art. 3 par. 1). A data controller with an establishment in the European Union (EU), for example a German online shop, processes the personal data of its customers in the EU. But even if the German company processes personal data of its customers outside the EU there will still be a connection to the activities of the German company in the EU. Therefore, the GDPR is applicable to all processing of personal data of the German online shop.
Companies which have no establishment in the EU may still be subject to the new GDPR regulation. According to art. 3 par. 2 the regulation also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to either of the following: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
The meaning of (a) is best explained by using the search engine Google as an example. This service can be accessed in the EU and is offered in many different European languages. It does not matter that the users of Google are not required to pay a fee to use the service. The GDPR applies to Google’s processing of personal data regardless whether or not there are any Google establishments in the EU. In the context of (b) we need to understand what “monitoring of behaviour” of data subjects means. According to recital 24 GDPR, any form of profiling or tracking of the data subjects within the European Union is sufficient to assume the action of “monitoring”.