istock-997693934

Businesses based outside the European Union

Definition under the GDPR

The GDPR applies to:
• data controllers in the UK and EU,
• data controllers outside the UK and EU who offer goods or services to individuals in the UK or EU, and
• data controllers outside the UK and EU who monitor the behaviour of individuals in the UK or EU.

What does the GDPR definition really mean?

All UK businesses will be governed by the GDPR (and, indeed, any additional rules that the UK Government implements, such as the Data Protection Act 2018).

Non-EU businesses will also be caught by the GDPR if they provide goods or services to customers within the UK or EU, or monitor the activity of individuals within the UK or EU.

What are the significant changes brought in by the GDPR?

The major change is the extension of EU data protection obligations to businesses outside the EU. The previous UK data protection regime only applied to non-UK businesses who used equipment in the UK to process personal data. However now, the GDPR applies to non-EU businesses that provide goods or services to customers in the UK or EU, even if they don’t use equipment located in the UK or the EU in order to do so.

What effect has this had on non-UK businesses?

If the business is within the UK or EU, then the GDPR will apply to that business in the usual way.

If the business is outside the UK and EU, then the business must identify whether it offer any goods or services to UK or EU-based customers, or whether it monitors the behaviour of UK or EU-based data subjects and, if the answer to either question is ‘yes’, then the GDPR will apply to that business, regardless of their geographical location.

What will my business need to do?

If your business is located in the UK, or the EU, then there is nothing for you to do in relation to this particular issue.

However, if your business is located outside the UK and EU, and you have established that the GDPR applies to your business, then you need to take the same steps in order comply with the GDPR as are being taken by UK and EU businesses. Either that, or cease offering goods and services to customers in the UK and EU.
In addition, the GDPR will require you to appoint a representative in the UK or EU. That representative must be authorised to act on your behalf regarding your GDPR compliance, and to deal with data subjects and regulatory authorities. The identity of your UK or EU representative must be disclosed to your UK and EU customers, typically as part of your privacy policy.

 

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.

FAQs

If that parent company will offer any goods or services to customers in the EU, or monitor the behaviour of EU-based individuals, then the parent company will have to comply with the GDPR in precisely the same way as your subsidiary business. That will include having to appoint, and enter into a written contract with, a representative in the EU who will be responsible for ensuring compliance with the GDPR.

Yes, the GDPR does in fact govern some American companies.

Indeed, there are a number of American laws that govern aspects of UK business, particularly in relation to anti-bribery and financial crime.

Yes and no.  On the UK’s exit from the EU the GDPR ceased to apply, however it was replaced by a mirror version of the GDPR called (imaginatively) the UK GDPR. Save for a few exceptions, the UK GDPR will match the GDPR, though changes to the GDPR will no longer flow down into UK law automatically, which could lead to the GDPR and UK GDPR diverging on certain issues in the future.

You can appoint a person, or a company, but they must be based in the UK (if you offer goods and services to customer sin the UK) and/or the EU. (if you also offer goods and services to customers in the EU). Many non-EU companies have appointed their UK lawyers, or specialist consultancies. But bear in mind that you are required to enter into a written contract with whoever you appoint.

Possibly not. There is an exception for business who only offer goods and services to UK customer occasionally, provided there is a low risk to the data protection rights of those customers and you do not process large quantities of ‘special category’ (or sensitive) personal data.