The EU General Data Protection Regulation (“GDPR”) was approved by the EU Parliament and enforcement is scheduled to begin May 25, 2018.
With this in mind, it is important to note that the GDPR may apply to the processing of personal data, even though the processor is not established or located in the EU, if it relates to certain activities, including selling goods or services to EU data subjects and collecting certain information of EU data subjects online.
In general, the use of a website that makes goods or services available to data subjects may be sufficient to trigger obligations under the GDPR. Recital 23 to the GDPR suggests that if the website is translated to the language of the applicable EU member country, or the goods or services are priced in the currency generally used in one or more EU member countries, the company is likely to be caught by this provision.
In general, these requirements will likely catch many online companies established outside of the EU if they are processing data of EU customers in the course of their commercial activities.
To understand and prepare for applicable compliance obligations, it is generally advisable to assess your company’s operations to determine whether the GDPR would apply. It is important to note that the GDPR places an emphasis on documentation that must be maintained to demonstrate accountability. Compliance with the GDPR requires organizations to review their approach to how they manage data protection. This will likely involve documenting the types of personal data the company holds, how it obtained in the information, how it uses the information, and who it shares the information with. Compliance will likely also include the review of contracts and other arrangements the company has in place related to transferring data to and receiving data from third parties, the development of certain GDPR compliant privacy notices, and developing and refining processes to enable individuals to correct and delete certain personal data, and to obtain, record and manage consent from individuals.