Namely, according to the GDPR, all foreign companies that either (i) offer goods or services, irrespective of whether a payment is required, to data subjects in the EU, or (ii) monitor their behavior as far as their behavior takes place within the EU, are subject to the GDPR. This means that such companies must abide with the burdensome rules prescribed by the GDPR, or risk being faced with high penalties – up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Likewise, for some less significant infringements, fines shall go up to the higher of EUR 10,000,000.00 or 2% of the total worldwide annual turnover.
This practically means that, due to the GDPR’s extra-territorial effect, even a data processor not established in the EU may be subject to administrative fines if it performs its business activities in a way that is non-compliant to the GDPR. This is especially important for multinational companies that share personal data between group members on a regular basis, as they are obliged to achieve compliance in all jurisdictions – both within and outside of the EU.
Apart from the expanded territorial scope, the GDPR has revisited the current rights of the data subjects and obligations of data processors/controllers, and added some new ones. For example, companies that process data on a large scale and those that process data as a part of their core activity, will have to appoint a Data Protection Officer – a person responsible for compliance with Data Protection rules and for communication with competent supervisory authorities.
The GDPR has codified data subject’s “right to be forgotten” (right to erasure). This right was already considered a part of the right to the respect of private and family life, but due to its significance in the internet era it was necessary to regulate it separately. Namely, the existence of unfavorable information on the internet can seriously affect someone’s life. Under the right to be forgotten, data subjects are under certain conditions, allowed to demand from data controllers to erase their personal data, or to make it unavailable. These conditions, inter alia, encompass the situations: when the personal data is no longer necessary for the purpose it was collected, there is a withdrawal of data subject’s consent, unlawful processing, etc.
Also, data subjects will now have the rights related to data portability, i.e. they will be allowed to request from data controllers to transfer the data to them or to another controller, in a structured commonly used format.
Based on the expanded scope of GDPR and the newly introduced fines, it is strongly advisable to perform a gap analysis related to GDPR compliance – whether your business is incorporated within or outside of the EU. If you have any questions related to these new Data Protection rules, please feel free to contact our Data Protection team.
