Who Does GDPR Apply To? Understanding GDPR’s Scope
Pritesh Vora
Oct 10, 2024
Key Points
- GDPR is the European Union’s new data privacy law that was formed to give more control to EU citizens and residents over the use of their data.
- GDPR mainly controls the data processing activities related only to EU citizens’ & residents’ data undertaken by any public or private company worldwide.
- There are two exceptions to GDPR law. If you’re collecting personal data for purely personal or inviting to your family events, then GDPR would not apply to you. Secondly, if your company has fewer than 250 employees, you’re partly relieved from personal data collection obligations.
Introduction
The General Data Protection Regulation (GDPR) is the core of the European Union’s digital privacy legislation. The regulation was introduced to govern how cloud-hosted companies process personal data such as name, address, email id, credit card number, etc. of EU citizens and residents.
But exactly who does GDPR apply to? Does it only affect the companies within the EU region? Or does it also affect the companies outside the EU? If it does, are the companies outside the EU mandated to oblige with the regulation??
In this article, we reveal answers to all these questions and more.
So, if you’ve been wondering who does the GDPR apply to and whether it applies to your cloud-hosted company, you’ve come to the right place.
What is GDPR?
GDPR is a regulation of the European Union that aims to simplify the regulatory environment for cloud-hosted companies so that both EU citizens and companies can mutually benefit from the new digital economy.
The purpose of GDPR is to dictate how cloud-hosted companies process EU citizens’ data and protect it from any vulnerability.
The law enforces cloud-hosted companies to implement appropriate safeguards to justify companies’ need for personal data gathering and protect the collected data through encryption and other strict security thresholds.
Any cloud-hosted company that does not comply with GDPR rules is subject to hefty monetary penalties of up to 4% of annual turnover or €20 million, whichever is greater.
Also check out this video on GDPR principles:
Who Does GDPR Apply To?
GDPR applies to any organization that collects and processes personal data of EU citizens. This makes the GDPR binding on 27 member countries of the European Union (EU) and the European Economic Area (EEA) which also includes Iceland, Norway and Leichtenstein along with any non-EU organization processing such sensitive information.
Does the GDPR Apply Outside Europe?
Yes, GDPR applies to any cloud-hosted company that collects and uses EU citizens’ data regardless of whether the company is EU-based. The primary goal of the law is after all to ensure lawful and transparent processing of EU citizens data. Article 3 of GDPR talks about this extra-territorial effect.
The GDPR compliance checklist has been laid out clearly in Article 3 under the territorial scope of the law.
As per Article 3, GDPR applies to all companies outside the EU if they’re:
- Offering goods/services or monitoring the behavior of individual EU citizens & residents.
- Collecting and processing the personal data of EU citizens and residents as part of their business activities, regardless of where their data is processed. This will be the case even if the data is stored outside the EU.
Who Does the GDPR Not Apply To?
GDPR does not apply to EU citizens living in the US.
Article 3 of GDPR law refers to them as “data subjects in Union”. So, if an EU citizen is living in the US, and your cloud-hosted company collects personal data of such EU citizens living in the US, the GDPR does not apply to them.
What Does GDPR Mean for Us Companies?
Unlike industry-specific regulations such as HIPAA Compliance and GLBA Compliance, the GDPR is a generalized regulation for data privacy.
Hence, GDPR applies to all companies, both public & private, that collect and/or process the personal data of EU citizens as well as residents.
Specifically, a US-based company is subject to the GDPR if they meet any of the following criteria:
- The company collects and processes EU citizens’ data
- The rights, freedoms, and security of EU citizens’ data may be at risk
- The company processes special data category information like racial, sexual orientation, ethnic origins, and health status
Need to meet GDPR standards? Our “GDPR Data Processing Agreement” is here to help. Download this essential document to ensure your data processing aligns with regulations.
Download Your Data Processing Agreement Template
When Does GDPR Apply to Us Companies?
There are two major scenarios when a US firm may need to become GDPR compliant.
1. Offering Goods or Services
Thanks to the internet & advancements in technology, the entire world is now connected, enabling cross-border delivery of all kinds of goods & services.
For example, if your cloud-hosted company is not based in the EU but provides any kind of services to EU customers and accepts their payments online, then GDPR would apply.
In a nutshell, your cloud-hosted company might need to comply with GDPR if it offers its services outside its home country, including to EU citizens and residents.
2. Monitoring EU Citizens’ Behavior
If the website of your cloud-hosted company is using tools to track IP addresses or cookies consent of visitors from EU countries, then it is mandatory to be GDPR compliant.
Similarly, if you’re collecting and/or processing EU citizens’ data on behalf of others, you’re required to comply with GDPR.
For example, let’s say that your company offers flower delivery service worldwide. If a customer outside of the EU has ordered a bunch of flowers to be delivered to his loved one living in an EU country, then your company is required to comply with GDPR in this situation.
Does GDPR Apply to Public-Sector Organizations and US Government Agencies?
Technically, GDPR applies to companies worldwide.
But as we just mentioned, the GDPR mainly controls the processing activities only related to EU citizens’ & residents’ data, that is only if the processing activity serves either of the following purposes:
- To offer goods and/or services
- To monitor the behavior of EU-based individuals
Based on this, it can be concluded that many public-sector companies may not be subject to GDPR compliance. This includes a few federal agencies like the Department of Homeland Security and the Department of State that may have their reasons to collect EU citizens’ & residents’ data and monitor their behavior.
On the other hand, if a State Tourist Department collects personal data to advertise itself to EU citizens and residents, the GDPR applies to them. Similarly, if a university collects data about prospective EU-based students, the GDPR would apply to the university as well.
However, most of the other government agencies, even if it collects data related to the business interests of EU citizens, are not subject to GDPR compliance.
Does the GDPR Apply to US Citizens?
The answer is yes — GDPR can apply to anyone living in the EU countries, including US citizens.
For instance, if a US citizen is living in any of the EU countries and a company collects personal data about this US citizen, then the GDPR applies to that personal data.
Conversely, the GDPR does not apply to the personal data of US citizens living in the US. There are, however, similar data privacy regulations in the US that offer protection to US citizens.
The California Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA), for example, largely control the collection of personal data of any person residing in the state of California.
There is one more regulation called the Children’s Online Privacy Protection Act (COPPA) that is aimed at protecting the use and distribution of children’s data under the age of 13 as long as they’re on US soil, regardless of their citizenship.
Are there Exceptions to these Rules?
There are two exceptions to GDPR.
First, the GDPR does not apply when you’re collecting personal data for purely personal or household activity. For example, if you’re gathering your colleagues’ data, including phone number, email ID, etc. just for inviting them to a family event or occasion, then you don’t have to comply with GDPR.
The second exception is for cloud-hosted companies with less than 250 employees. Although, this exception does not mean all small and medium-sized cloud-hosted companies are completely exempt from GDPR compliance.
In most cases, the GDPR law only relieves them from personal data collection obligations, as stated in Article 30.
Conclusion
After reading this article, if you feel certain that GDPR applies to your cloud-hosted company, then it’s highly recommended to familiarize yourself with the law entirely to avoid violating its regulations, reputational damage, and the large fines by becoming GDPR compliant.
If you’re not sure how to become GDPR compliant, Sprinto can help you achieve GDPR compliance the right way.