The GDPR (General Data Protection Regulation) is the primary data protection regulation in the EU, and it governs how companies process European Union citizens’ personal data. It applies to all member states of the EU and countries in the EEA.
The regulation is valid outside the EU territory, which means it safeguards the personal information of EU residents and citizens and impacts all companies that deal with personal data, whether or not they’re outside the EU. So if you’re looking for website terms of service generator, click this link.
Does GDPR apply outside the EU?
Yes, but under specific circumstances. The GDPR safeguards the personal data of EU citizens and residents, even if it’s transferred outside the EU borders. This means that this regulation applies to all companies, both EU-based and non-EU companies, that deal with the personal data of European residents and citizens.
An example would be an organization from the United States that gathers data from EU citizens. The legal obligation applies to the organization as if it has its head office in the EU, even if it doesn’t have to have any offices within the borders of any European Union country. This means that if the company offers services or goods to EU citizens or tracks the behavior of consumers within the EU, it must comply with GDPR. To learn about what the GDPR required by law, click this link.
Does GDPR apply to European Union citizens abroad?
Many non-EU companies often argue that they have no means of knowing if a data subject is protected by the General Data Protection Regulation, especially if the person visits the organization in person or otherwise says they live locally.
Luckily, a data subject’s current location overrides their citizenship when establishing if GDPR applies. Thus, the GDPR doesn't apply to EU citizens and residents living or holidaying outside the EU.
If an EU citizen is outside the EU, they’re subject to the laws of the country they’re in. However, if they’re in the European Union territory and provide their personal information remotely--over the phone or online--the GDPR protects them. To learn more about personal information requirements, click this link to read our latest article.
Examples of General Data Protection Regulation Compliance Outside the European Union
Here are a few examples of data processing by non-EU companies and whether they’re subject to the General Data Protection Regulation.
Example One: A restaurant in Cairo, Egypt, has a website that enables customers to use its takeaway service or book a table. European Union holidaymakers often visit this restaurant and enjoy the food there. Here, the GDPR doesn’t apply because the restaurant targets customers who live locally.
Example Two: A software company in Sydney, Australia, has built a tourist app that monitors users’ locations and suggests nearby points of interest. The app has options for tourists in Rome, London, Paris, and Sydney. The GDPR applies because this app is used by people in the European Union, whether they are visiting from elsewhere or are local.
Example Three: A Canadian citizen is on a business trip to Paris. While in Paris, they download a workout app from their hometown. The GDPR doesn’t apply in this scenario, even if the person was in the EU when their personal information was collected. For the GDPR to apply, the services or goods or tracking must target those in the EU. However, unlike in the second example, where the software company assumes that people in the European Union will use its service, that’s not the case here. The workout app is designed mainly for people living in Canada. However, Canadian citizens may also use the app while in the EU.
GDPR is specifically designed to protect the personal information of EU citizens and residents. Therefore, it only applies to EU citizens and residents inside the EU. However, it also applies to all companies that process the personal data of EU citizens, regardless of whether or not a company is based in the EU.