GDPR - General Data Protection Regulation - Only applicable to EU data?

MrTetris

Involved In Discussions
#1
The GDPR, as far as I know, is applicable to EU data only. But is that really the case?
According to Art. 3-1, it seems that all data processed in the EU are subject to the GDPR:
"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

Art. 3-2 mentions: "This Regulation applies to the processing of personal data of data subjects who are in the Union...", but still, if Art, 3-1 is valid, non EU data processed in EU are subject to GDPR. Am I wrong?
 
Elsmar Forum Sponsor

Mark Meer

Trusted Information Resource
#2
I'm no expert, but from what it appears, the only case that is not subject to GDPR is where all of the following conditions are met:
a) You are not based in the Union;
b) You have no servers/systems in Union that process data; and
c) You do not process any data of people in the Union.

If this is the case, depending on your application, this can be pretty tough criteria to meet. ...so basically the idea that it applies to EU data only, while technically true, in practice is unrealistic. How this gets enforced is a whole different question. We'll just have to see, I guess.
 

mihzago

Trusted Information Resource
#4
I think the main premise of the GDPR is to protect any data of EU subjects regardless of where it is processed. If you, for example store data of EU users anywhere in the world, then you're subject to the GDPR.
If you, say have severs in the EU, but don't process any data of EU subjects, which is probably not a frequent scenario, then I don't think GDPR applies, and even if it does I don't see how that would be enforced.
 

MrTetris

Involved In Discussions
#5
Hi mihzago, maybe my first post was not clear... my problem is the opposite: we are placed in EU, but we process US data. Does gdpr apply?
 

mihzago

Trusted Information Resource
#6
in my opinion, no, because GDPR applies to all companies processing the personal data of data subjects residing in the Union.
I don't see any DPAs trying to enforce any requirements on data of non-EU subjects.

My interpretation of Art. 3-1 is that if you're a EU company, but store EU-based subjects data in say Australia, you still fall under the regulation.
 

Ninja

Looking for Reality
Staff member
Super Moderator
#7
I'm no expert in this...but the excerpts in you OP seem like pretty standard format for "covering the bases" and "closing loopholes".

3.1 If you are a CONTROLLER IN the union
3.1 If you PROCESSOR IN the union
3.2 If you process personal data of SUBJECTS IN the union

Looks like they are trying to be clear that if it touches the Union in any manner, GDPR applies.

Again, Im no expert here...but I would reach out to someone who is...either the governing board, compliance board, or professional legal advice.
Even From Mark Meer's post up above...if you are EU based or EU housed...you fail Mark's point (a). Get professional and accountable input...not just this forum.
 
Thread starter Similar threads Forum Replies Date
L GDPR scope - "Personal data" definition - General Data Protection Regulation EU Medical Device Regulations 5
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
W EU GDPR General Data Protection Regulation - What we need to update for our QMS EU Medical Device Regulations 14
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
M GDPR - Is anonymizing sufficient to address right to erasure? Medical Information Technology, Medical Software and Health Informatics 3
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
M GDPR - Data portability and Data Deletion EU Medical Device Regulations 6
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
C Certification vs Accreditation Training (General) Training - Internal, External, Online and Distance Learning 1
Judy Abbott General temperature used in the blasting process and laser process Manufacturing and Related Processes 2
D Preventive Maintenance vs. General Cleaning ISO 13485:2016 - Medical Device Quality Management Systems 2
Y What are different Special Inspection Level 1-4 and General spesification 1-3 ? AQL - Acceptable Quality Level 0
B General Motors and Honda Alliance - What does this mean to suppliers? IATF 16949 - Automotive Quality Systems Standard 3
F General Data Protection Regulation (GDRP) CE Marking (Conformité Européene) / CB Scheme 6
A Interpretation of GMP Requirements for class 1 medical device manufacturer (device GMP exempt, only General controls applicable) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
D Importing a general wellness low risk product Other US Medical Device Regulations 3
M ISO 13485 for general purpose disinfectants? ISO 13485:2016 - Medical Device Quality Management Systems 9
M Do you need an Applicable general safety and performance requirements Checklist? EU Medical Device Regulations 2
DitchDigger UDI, Labeling Accessories, General Insanity, Etc. US Food and Drug Administration (FDA) 1
G Problem Resolution Report Monitoring - Customer complaint or PRR as general motors use Customer Complaints 12
P Is there a counterpart to the General Safety and Performance Regulations for the USA? Other US Medical Device Regulations 2
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
M Informational WHO – Report by the Director-General – Standardization of medical devices nomenclature Medical Device and FDA Regulations and Standards News 0
J General Motors SSE Launch Algorithm - SCMS's Service Industry Specific Topics 0
D Incoming (Receiving) Inspection - General form for incoming part inspection Document Control Systems, Procedures, Forms and Templates 17
M Informational 2019 Meeting Materials of the General and Plastic Surgery Devices Panel Medical Device and FDA Regulations and Standards News 0
M FDA Guidance - general wellness products - wearables Other Medical Device Related Standards 3
M Informational The USFDA Announces General and Plastic Surgery Devices Panel of the Medical Devices Advisory Committee Meeting on March 25-26, 2019 Medical Device and FDA Regulations and Standards News 0
M Oxygen enriched environment applicability - Operating table used in general surgeries in hospital IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Marc Definition GSPR - General Safety and Performance Requirements Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 0
M Annex I - General Safety and Performance Requirements. Precise identity - how provided EU Medical Device Regulations 6
E What is the general time line to prepare for IATF Letter of Conformance? IATF 16949 - Automotive Quality Systems Standard 1
S General Awareness Training for AS9100 Rev.D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
B IVD or a general product test kit (if such a thing exists) EU Medical Device Regulations 0
S Business development and support - Getting business general liability insurance Career and Occupation Discussions 5
DietCokeofEvil What is the general consensus on Caliper tolerances? General Measurement Device and Calibration Topics 1
Y Change Control - General Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
D General questions about Medical Device MOPs and MOPPs IEC 60601 - Medical Electrical Equipment Safety Standards Series 31
Albert G. What are general examples of audit findings with ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
H ISO 9001:2015 Cl. 9.3.1 - General Director doesn't participate in Management Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S AS9100D Transitional Audit General Question Checklist AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5

Similar threads

Top Bottom