Does GDPR Apply to Citizens Outside the EU?

August 6, 2024
Does GDPR Apply to Citizens Outside the EU?

Our mission is to make data protection easy for people: easy to understand and easy to read about. We do that through our blog posts, making it easy for the end-user to understand personal data protection.

The volume of data being generated is spiralling upward, and so does the need for meticulous processing and handling.

The Global Data Processing Regulation (GDPR), enacted by the European Country stands as the cornerstone of responsible data processing, obligating organisations to uphold users’ data privacy.

But does GDPR apply to citizens outside the EU? Let’s dive into the answer.

What is GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a data privacy law passed by the EU and was enforced on May 25, 2018. It’s better known as the European Union regulation on information privacy enacted within the EU and the European Economic Area (EEA). With this, the principles of the 1995 data protection directive were modified and modernised.

GDPR requires all member countries across Europe to comply with the regulatory standards while processing the personal data of data subjects. That said, any violation of any of the GDPR standards can lead to hefty and long-term repercussions – fines, and penalties which can even be tens of millions of euros.

After Brexit, GDPR has been retained in the UK’s domestic law as the UK GDPR. That means that organisations now need to adhere to both EU GDPR and UK GDPR while processing personal data post-Brexit.

Organisations failing to comply with GDPR principles are incurred heavy repercussions- 4% of their annual turnover or 20 million euros, whichever is greater.

Data Privacy Principles in GDPR

  • Lawfulness, fairness, and transparency: According to GDPR, data controllers should ensure the transparent, lawful, and fair processing of personal data belonging to data subjects.
  • Purpose limitation: GDPR mandates businesses to collect, store, and process personal data for legal and explicit purposes that data subjects are informed of. Any processing of data beyond the defined purpose will be considered illegal, thereby accounting for punishment. Data processing for scientific, environmental, and research purposes, according to Article 89(1), won’t be a violation of the “purpose limitation” principle.
  • Data minimisation: Data processing should be only for what is required and in line with the purpose; no further processing should be carried out.
  • Accuracy: This principle mandates organisations to ensure they only process accurate, and updated data. Any inaccurate or inconsistent data should be erased immediately after detection and before processing.
  • Storage Limitation: Organisations are allowed to retain personal data as long as the specified purpose is not met. Any longer storage, if for public interest, scientific, or research purposes, won’t be subject to this limitation. However, according to Article 89(1), businesses must ensure they have implemented proper technical and organisational measures to retain user data for longer.
  • Integrity and confidentiality: GDPR mandates organisations to ensure data is processed securely and is out of reach of any unauthorised access.

Again, before collecting personal data, data controllers must ensure data subjects provide their consent voluntarily. Individuals hold the right to access, review, revise or even delete their data held by a data controller.

In GDPR, personal data refers to any data that can be used to identify a person also called a data subject. Personal data includes:

  • name
  • address
  • Annual income
  • ID card/passport number
  • IP address
  • cultural profile
  • Medical records

Now, does GDPR apply to citizens outside the EU?

Yes, GDPR is valid outside EU territory. This is because GDPR is imposed on any organisations that deal with and process the personal data of residents within the EU. It doesn’t matter where the company is located – regardless of their location, GDPR applies to them if they have collected, stored, or processed data of people living in the EU nations.

GDPR spells out the territorial scope of the law in Article 3:

Article 3 delineates that GDPR standards apply to companies not established in the EU if they process the personal data of individuals within the EU while offering them services or goods or tracking their behaviour. It means that regardless of the location, companies dealing with the personal data of individuals within the EU must adhere to GDPR standards; otherwise, they will be subjected to penalties.

Let’s elaborate on the two criteria that make businesses comply with GDPR.

Offering Goods or Services

Offering goods to people in the EU, regardless of the location of the serving organisation, triggers the implementation of GDPR regulations. It can offer online services, an eCommerce platform, or any commercial transaction where people within the EU are involved. It means, while collecting and processing data owned by EU residents, businesses must adhere to the aforementioned GDPR principles.

Monitoring Behaviour

Another key criterion that obligates companies to comply with GDPR principles is monitoring behaviours of EU residents. It may include using cookies and other technologies to identify user preferences and trends and predict actions of individuals within the EU, tracking their online activities, monitoring their profiling behaviour, etc.

By monitoring behaviour, organisations passively collect and store personal information that mandates GDPR compliance. GDPR obligates them to ensure transparency, fairness and lawfulness while processing the personal data of EU residents.

Exceptions to the rule

There are two noteworthy exceptions when it comes to GDPR compliance criteria. First, while conducting any “personal or household activity” you don’t need to follow the GDPR framework.

For example, assume you are organising a family picnic and inviting people via email. In this case, there is no need to encrypt their contact information for GDPR compliance. Again, GDPR compliance is meant for businesses that perform “professional or commercial activity”.

GDPR only applies to organisations engaged in “professional or commercial activity.” For example, if a company sends emails to its contacts or fundraising to fuel a new startup, DPR companies will be mandated on it.

Second, for a small to mid-sized business with less than 250 employees, record-keeping has been exempted. However, they still have some GDPR standards to follow; violation of GDPR regulation can lead to penalties or sanctions (see Article 30.5).

Does GDPR Apply to Non-EU Citizens?

A common incomprehension of GDPR is that it only applies to EU citizens. However, GDPR regulation considers the location of the data subject, not their citizenship. Therefore, if personal data of individuals residing outside the EU is processed within the EU territory, it will be covered by GDPR regulations.

Similarly, organisations outside the EU, while dealing with personal data of EU residents, have some GDPR implications. For example, they have to comply with GDPR principles, implement stringent data protection measures in line with GDPR requirements, and recruit a representative in the EU for compliance monitoring purposes. These criteria make GDPR a global standard in the data protection regulation landscape with far-reaching impact.

Best Practises to Ensure GDPR Compliance

Complying with GDPR framework requires businesses to adopt a risk-based approach while processing personal data. Check out the following key points and implement them in your data processing journey:

  • Appoint a Data Protection Officer (DPO): Organisations that deal with an influx of data processing activities should hire a dedicated DPO to ensure their operations are on par with GDPR principles. A DPO ensures the company processes data of all data subjects it deals with – consumers, employees, sellers, etc. DPOs are also experts in data protection rules who can play a critical role in training and keeping other employees informed about GDPR best practices. Thus, businesses can effectively comply with the framework and ensure no non-compliance across their data processing activities. 
  • Classify all data: To uphold data quality, data integrity and data confidentiality, organisations must take a stock of the data it holds. Data classification can help in this regard, by allowing stakeholders to assess the quality and of data they are accountable for. In addition, data classification makes it effortless for data controllers to enforce effective security measures, and categorising it based on their type and priority of processing. Again, they can identify and flag any personally identifiable information (PII) they hold.
  • Conduct a Privacy Impact Assessment: Conducting a privacy impact assessment (PIA) is critical to tracking down any potential risks that may arise while collecting, storing or processing personal data and PII. It is a key element of GDPR’s privacy-by-design approach that encourages the integration of technology as a proactive measure to risk identification and mitigation in data processing and handling. PIA helps evaluate the processes associated with data collection, storage and potential transfer to enable effective mapping of data as it flows within the company. GDPR obligates organisations to conduct a data protection assessment prior to data processing if PIA indicates data subjects are prone to severe privacy risks. 
  • Test Data Breach Response Procedures: GDPR mandates organisations to report a data breach to the data protection authority (DPA) within 72 hours of detecting it. Again, organisations must inform data subjects of the breath without any “undue delay.” Failing to this rule can lead to penalties. Organisations are suggested to test and validate their data breach handling processes to ensure they can meet this deadline. 

Monitor and Audit GDPR Compliance: Auditing and monitoring Organisations need to conduct regular audits of privacy protection practices to prove compliance with GDPR.

Records of all data that is held, how it is processed, details of any transfer of data to other countries and how it is being protected must be kept up to date. Carry out regular risk assessments to determine if data processing methods, documentation and privacy policies need updating. And, of course, the security of the IT infrastructure needs to be maintained.

Thomas Lambert
Latest posts by Thomas Lambert (see all)