When Does GDPR Apply? | TrustArc

November 1, 2022

Does the GDPR apply to your organization? 3 examples

In the run-up to May 25, 2018, when the EU General Data Protection Regulation (GDPR) became enforceable, we saw many organizations scrambling to prepare. The question “When does GDPR apply?” was common.

Information security leaders at companies located in the EU or doing business with people in the EU have invested time and money in assessing GDPR compliance readiness.

They have since established new collection and security processes, technology and controls to ensure they are GDPR compliant.

We also know that some US organizations have struggled with day-to-day decisions about when GDPR does or does not apply to their data processing activities.

In our conversations with several clients, we heard three common misconceptions about the applicability of the GDPR:

Collection of data from public sources
Personal data is masked from internal commands
Data stored outside the EU

Below, TrustArc’s privacy experts share their insights into these three misconceptions and suggest some things to consider when analyzing your company’s GDPR applicability.

Example 1: Collection of personal data from public sources

Common misconception: The GDPR does not apply to personal data collected from public sources

Some organizations believe that the GDPR does not apply to publicly available information about an individual, as it is not ‘private’ information.

This belief may also include appropriate conditions for justification, including:

- Since the personal data was not collected directly from the subject, the organization that collects it is neither a processor nor a controller
- Since the data was collected from completely public sources, the organization has no contract with anyone.

One example given to support this belief is a company that runs a business directory. The library was created by collecting information entirely from public information sources.

These business directories are common networking tools. They typically allow people to search for a business name and access information that identifies the owner and anyone else associated with that business, including contact information.

Expert insights into GDPR applicability and compliance

This idea may be appealing, but just because the personal information is collected from public sources does not mean that it avoids violating GDPR rules.

Below is an overview of relevant GDPR articles:

- Article 2 of the GDPR Explains how the substantive scope of the regulation “applies to the processing of personal data”
- GDPR Article 4(2) Defines processing as “any operation or set of operations performed on personal data or sets of personal data…”
- GDPR Article 4(7) Defines a controller, among other things, as an entity that “determines the purposes and means for processing personal data”.

These articles make it clear that if a company processes the personal data of any person in the EU – regardless of the original source – then the GDPR applies.

So, in the example of a company running a business directory, the GDPR applies because it has collected names, job titles and business contact information (addresses, phone numbers and email addresses) about people located in the EU.

All this information is considered ‘personal data’.

There is no loophole because the information was extracted from public sources. The company has clearly processed personal data and assumes the role of controller.

It is also important to remember an organization’s obligation under the GDPR that if they collect personal data about any individuals in the EU, they need to explain how and why that data was collected and used.

Article 14 of the GDPR unequivocally refers to “information to be provided when personal information has not been obtained from the data subject”.

It includes requirements for controllers to explain:

- The original sources of the personal data
- The purposes of processing (including the legal basis for processing personal data)
- The categories of personal data collected
- Identity and contact details of the controller
- All recipients of personal data
- How long the data will be kept
- The rights of the individual to request access and changes or removal of his personal data.

Note: Although we have used business contact information in this example, please note that the GDPR does not differentiate between business and non-business contact information.

Example 2: Personal data is masked from internal commands

Common Misconception: Masking personal data from internal teams is just as good as deleting it for GDPR compliance

We also heard another interesting belief that masking personal data from internal teams is just as good as deleting the data internally, and that way, the organization can comply with GDPR.

The main justification seems to be that masking information – making sure it cannot be seen or used in any way by internal teams – meets the requirements for Article 17 of the GDPR: the right to erasure (‘the right to be forgotten’).

Expert insights into GDPR applicability and compliance

ninthHis idea doesn’t work for GDPR compliance because the personal data isn’t actually deleted: it’s just hidden.

Article 17 of the GDPR Defines the right to deletion as “the subject of the information shall have the right to obtain from the controller the deletion of the personal data concerning him without delay and the controller shall have the obligation to delete personal data without delay”.

It explains a number of reasons that a person (data subject) would want to exercise their right to be forgotten, and it defines the requirement to delete data in certain circumstances – But it doesn’t mention masking data.

Masked data can be unmasked, and even masked data still exists in an identifiable form. Therefore, the European Union’s right to erasure (the right to be forgotten) was not met.

Example 3: Data stored outside the EU

Common Misconception: Moving the data center to store personal data outside the EU means GDPR will not apply

One of the biggest misconceptions is that if a company stores personal data outside the EU, it doesn’t have to comply with the GDPR.

Some of the ideas we encountered and had to fix include:

Companies operating in the EU think they are immune to GDPR compliance rules if they already store or have already transferred all their data to a data center outside the EU
Companies can get a provider outside the EU to collect the data for them
Companies can bake disclaimers and terms into contracts with customers that relieve them of the need to comply with GDPR.

Expert insights into GDPR applicability and compliance

The location of a data center does not affect whether a company must comply with the GDPR. In fact, this issue is explicitly addressed in GDPR Article 3: Territorial scope.

Section 3(1) states that the GDPR applies to “the processing of personal data in the context of the activity of a controller or processor’s institution in the Union, regardless of whether the processing takes place in the Union or not”.

The second and third points of Article 3 explain how the GDPR applies to “the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union”. gdpr-compliance

Transferring data from the EU does not eliminate the need to comply with the GDPR.

It can even add additional requirements, including:

- Proving the legal basis for cross-border data flow, if an organization transfers personal data about individuals in the EU to a data center outside the EU
- Be responsible for how other organizations manage data on behalf of the organization.

One of the key aims of the GDPR is to prevent organizations from outsourcing responsibilities. GDPR compliance can become more complicated when more companies are involved in managing people’s personal data in the EU.

Even in cases where a controller client outsources work such as data collection, each party – the controller and the processor – has direct responsibility, regardless of what is in the contract between the two organizations.

Data privacy and data security are equally important

Before the introduction of the GDPR, Data Security It has often been top of mind for many organizations, followed by personal data privacy concerns.

Any company developing systems and processes to comply with GDPR should treat privacy and security as equally important.

The European Commission clarifies that organizations are expected to protect the privacy of individuals in the EU when processing their personal data, noting that the GDPR applies to:

- “A company or entity that processes personal data as part of the activities of one of its branches located in the European Union, regardless of where the data is processed
- A company established outside the EU … that offers goods/services (paid or free) or … monitors the behavior of people in the EU.”

The European Commission also states that some GDPR obligations will not apply to organizations if “the processing of personal data is not a central part of your business and your activity does not create risks for private individuals.”

The key here is to know whether your organization’s data collection activities capture any information that can be used to identify any individual (data subject) in the EU, directly or indirectly.

Article 4(1) of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”).

It also explains that, along with common identifiers, such as a name or identification number, information that can be used to identify a data subject includes:

location data
Online IDs
Reference to “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Your organization’s privacy policies and controls must take these other identifiers into account for all data collection activities during interactions with individuals in the EU.

Do you need support for GDPR compliance?

TrustArc’s privacy experts can help your company analyze when and how GDPR applies to your data collection and data security.

We are always ready to answer questions about approaches to help your organization comply with GDPR and we offer a range of solutions to support your data security strategies.

Learn more by speaking with a privacy expert about our GDPR compliance solutions.

Download your guide to GDPR compliance today.

Source

6 Cybersecurity Tips To Protect Your Non-US Resident LLC Bank Account

How IT leaders are driving new revenue

The old “trust but verify” adage should be the motto for...

GUEST ESSAY: Why it’s high time for us to rely primarily...

3 Ways Rent Payment Reporting Improves Your Credit

U.S. begins Cyber Trust Mark program to protect IoT & consumers