EU General Data Protection Regulation

By

You may have heard that the GDPR became enforceable on May 25th 2018. If you have a web-based business in the U.S. are you required to comply? The GDPR applies to (among other situations) the processing of personal data of people who reside in the EU countries by an entity that is not located in the EU, related to:

– the offering of goods or services to people in the – even if they are offered free of charge; or
– the monitoring of behavior that takes place within the EU.

Two primary groups of entities must therefore comply with the GDPR:

1. Firms located in the EU; and
2. Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor          the behavior of EU residents.

This second category likely renders most global businesses liable. Recital 23 to the GDPR provides a list of non-exhaustive examples for deciding whether there is sufficient evidence that a firm is within the GDPR’s scope:

May be insufficient evidence (i.e., these factors alone do not suggest a need to comply)

-The firm’s website is accessible to EU residents
– The firm’s email or other contact details is accessible to EU residents
-The firm is located in a non-EU state that speaks the same language as an EU state

May be sufficient evidence (i.e., these factors suggest a possible need to comply)

– The firm markets its goods and services in the same language as that which is generally used in an EU member state. (Languages commonly used outside of EU states such as English or Spanish will not be by themselves deemed sufficient evidence of intent to offer goods and services to EU residents, whereas languages more local to EU member states, such as Bulgarian or Estonian, may be sufficient alone).
– The firm lists prices in EU member state currencies (the Euro, British pound sterling, Swiss franc, etc.)
– The firm cites EU customer or user reviews or testimonials

Summary – If your website is in English (a universal language), doesn’t state prices in EU currencies and doesn’t use testimonials from EU residents, chances are that you need not comply with GDPR. However, because with all things regulatory “the Devil is the details,” consult legal counsel if you are unsure.

Leave a Reply

Your email address will not be published. Required fields are marked *