GDPR: in which cases its use is mandatory, and why it may be beneficial
Sooner or later, business development sets the task for its owners to enter the international market. This may involve starting a representative office in another country, expanding the market, looking for foreign contractors or partners.
If such expansion involves the “conquest” of European countries, it is necessary to take into account the requirements of their legislation regarding the processing of personal data. Both in order to protect yourself from possible liability and to create your own positive “image”.
The date of 25.05.2018 has become a “milestone” for many companies, because on that day the General Data Protection Regulation (also known as the GDPR) came into force. In this publication, we will talk about how and what this regulation has affected.
You may also like: Rights Of Personal Data Subjects
Who is obliged to use the GDPR?
The main objective of the GDPR is to regulate the processing and protection of personal data (hereinafter referred to as PD) within the European Union and the European Economic Area (EU/EEA), as well as their export outside of these territories.
In this case it may erroneously seem that the GDPR only applies to resident companies of the EU/EEA countries. In fact, the GDPR can apply in respect of companies in several cases as described below.
Case 1. Presence of an office or employees within the EU/EEA (so-called business unit or establishment).
In this case the GDPR applies in respect of the company if its branch, partners, representative offices or representatives are permanently based in the EU/EEA.
In this case the GDPR will only apply to the processing of PD that are connected with the activities of the aforementioned business units regardless of whether the data to be processed belong to persons from the EU/EEA or from other countries.
For example, a national dairy product manufacturer will be obliged to observe the GDPR if its European partner company is involved in the advertisement of such products but only in respect of those data which are related to the activities of the partner company (European customers, office employees, etc.).
Case 2. The company is located outside the EU/EEA countries, but offers goods and services to residents of EU/EEA countries.
In this situation it must be taken into account that the mere technical possibility of the access of the aforementioned persons to websites, applications or other resources where one can obtain goods/services does not oblige the company to adhere to the GDPR.
Such an obligation arises if the company’s “commercial intent” is initially oriented to European users.
This can be confirmed in particular by the following factors:
- The top-level domain of the website is registered in one of the EU countries;
- The payment is made in euros;
- The application is available in EU languages;
- The delivery points are available in EU/EEA countries, etc.
Case 3. The company monitors clients from the EU/EEA.
Such monitoring can be considered as the collection by a company of personal data of European residents to further use them in its business activity, if the company is aware that the data belong to persons from EU/EEA countries.
For example:
- obtaining information on the Clients’ geolocation;
- research of Clients’ preferences regarding goods and services, if it is based on personalized “profiles” of Clients;
- collection of cookies, etc.
Why do the GDPR requirements have to and can be fulfilled?
The failure to meet the requirements of the GDPR (where applicable) can result in a penalty: 4% of the company’s annual turnover and up to 20 million euros.
At the same time, even if the company is not obliged to use the GDPR, the processing of PD according to its rules can be advantageous for the following reasons:
- strengthening the “HR brand” and attracting highly qualified employees;
- attracting contractors from the EU/EEA;
- attracting European investors, etc.
In this case, the implementation of the GDPR is carried out through the development and mandatory introduction of a number of special procedures related to the PD collection, use, storage, etc. The specific order of such implementation depends on the type of the company’s business activity and its other features.
In any case, the reputation of the company, which applies the GDPR requirements, will be its competitive advantage in the European market, as well as in the markets of Ukraine and other countries.
If you want to get a set of services aimed at bringing your company in compliance with the GDPR requirements, don’t hesitate to call us. We will take care of the personal data protection at your company.