Do you have clients living in the EU? You may be subject to the GDPR.
The European Union approved the General Data Protection Regulation (“GDPR”) on April 14, 2016. It went into effect May 25, 2018. It is considered to be the largest overhaul of the European Union’s data privacy laws in 20 years.
Who does it effect?
Regardless of whether you are established inside or outside of the EU, any company offering paid or free services or goods to individuals in the EU is subject to the GDPR.
The application of the law does not depend on the size of your firm, but instead, the activities of your firm.
Point of clarification- For EU citizens outside the EU when the data is collected, the GDPR would not apply.
What activities trigger application of the law?
If you collect the personal data, or personally identifiable information, of an EU citizen while they are in the EU, than that data is protected by the GDPR.
What if I am not specifically targeting EU citizens?
Just because an EU citizen comes across your website doesn’t automatically mean that any data gathered from that citizen is subject to the law. Instead, your business must be targeting EU citizens. For example, if your website is in Danish and there are references to Danish users or customers, then your website would be considered targeting marketing and the GDPR would apply. If you were also to accept the Danish kroner and your website had a .dk extension, then this would be more evidence that your business is subject to the GDPR.
I am subject to the GDPR. What kind of data can I process?
The type and amount of personal data you may process depends on the reason you’re processing it and what you want to do with it. Follow these rules:
- Personal data must be processed in a lawful manner and you must be completely transparent and fair to the individuals whose personal data you’re processing
- You can’t process personal date for just any reason. You must have specific purposes for processing the data and you must indicate those purposes to the individuals when collecting their personal data. You can’t say there is an “undefined purpose” as to why you are collecting the data.
- you must collect and process only the personal data that is necessary to fulfil that purpose
- you must ensure the personal data is accurate and up-to-date, and correct it if not
- You can’t use the personal data for any other purpose beyond the original purpose of collection.
- You must store data for the shortest time possible, taking into consideration the reasons why you need to process the data
- you must install appropriate technical and organizational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology
What information must I provide individuals whose personal data I collect?
At the time of collecting their data, individuals must receive very clear and concise information on:
- who your company is, including contact information;
- why your company will be using their personal data;
- the categories of personal data collected;
- the legal justification for processing their data;
- for how long the data will be kept;
- who else might receive it;
- whether their personal data will be transferred to a recipient outside the EU;
- that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
- their right to lodge a complaint with a Data Protection Authority (DPA);
- their right to withdraw consent at any time;
- where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
The information may be provided in writing, orally at the request of the individual (once you have verified their identity by other means) or electronically. Your company must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
When data is obtained from another company, your company should provide the information listed above to the person concerned:
- within no more than 1 month after your company obtained the personal data; or,
- when the data is used to communicate with the individual; or,
- when the personal data was first disclosed.
You are required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained from publicly accessible sources.
If you have clients that are residents of the European Union, you may be subject to the GDPR. The consequences of not complying are steep. Depending on the violation, you could face a fine of up to 20 million Euros or 4% of your total revenue for the preceding year. Don’t wait to get put out of business, give us a call today to schedule a consultation.
Background vector created by Freepik