The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and comprises an expanded approach toward the protection of the rights of individuals in relation to their personal data in the EU. It is extraterritorial in that it applies to controllers and processors both inside and outside (in certain circumstances) the EU. The applicability of the GDPR falls into two distinct categories.
First applicability rule: Article 3(1) states that where there is processing of personal data in the context of the activities of an establishment of either a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not, then GDPR will apply.
Second applicability rule: Article 3(2) states that GDPR applies to the processing of personal data of data subjects in the EU when the controller or processor is not established in the EU, but where the processing activities are related to: (1) the offering of goods or services to such data subjects in the EU, or (2) the monitoring of their behaviour insofar as their behaviour takes place within the EU.
See the full PDF article here
First published in September 2018 by SCCE.
Copyright  Compliance & Ethics Professional, a publication of the Society for Corporate Compliance and Ethics (SCCE).