While businesses of any size can be subject to the EU General Data Protection Regulation, this installment of The eData Guide to GDPR explores whether there are any limitations on type, size, or location under the regulation.
Generally, a business of any size engaged in “economic activity” is subject to the General Data Protection Regulation (GDPR) if it has offices inside the European Union, offers goods or services to data subjects in the EU, or monitors behavior of data subjects in the EU.[1] Though the GDPR does not explicitly define “economic activity,” it would seem to include any professional or commercial activities. Specifically, GDPR Recital 18 states that the regulation does not apply to processing of personal data by a person for purely personal or household activities “with no connection to a professional or commercial activity.” Companies are left wondering, are there any limitations on the type, size, or location that would exclude the concern from regulation?
Any organization that operates in the EU will be subject to the GDPR no matter where the company is headquartered. But the regulation extends far beyond the borders of the EU. Basically, any organization that has customers in the EU will be subject to the GDPR.[2] Similarly, any organization that collects information or data about EU citizens will be subject to the regulation.[3] Thus, many organizations that have no business offices or employees within the EU can still be subject to GDPR. Some examples of extraterritorial businesses subject to the GDPR include the following:
Even a non-EU charitable organization that solicits funds from EU citizens to aid with disaster relief or help fight hunger in third-world countries would likely be subject to the GDPR.[5]
Conversely, according to the European Commission, if you are a non-EU company that only provides services to customers outside the EU (i.e., the business does not target its services to individuals within the EU), even if customers could still use the services inside the EU, the company is not subject to the GDPR. Take, for example, the non-EU-based travel agency discussed above. If the travel agency only provides services to US customers but those customers might use the services while in the EU (for example, a US travel agency helped a US customer book a vacation in Italy), it would seem the GDPR would not apply to the travel agency. Similarly, a small-town bank with local customers that does not target its services to individuals within the EU but allows its local customers to perform online banking or make withdrawals while in the EU would not be subject to the GDPR.
The size of the organization does not matter when it comes to the GDPR. The GDPR applies to a business processing personal data regardless of whether the business is a small-scale business or a global behemoth. If the business operates in the EU, offers goods or services to data subjects in the EU, or monitors behavior of data subjects in the EU, the GDPR applies, regardless of size.[6] Thus, even a small sole proprietor in the United States or Australia that sells handmade items on the internet and ships them to the EU would be subject to the GDPR as “offering goods or services to data subjects in the EU.”
While size may not matter with respect to the overall applicability of the GDPR, the regulation does provide for specific measures to be considered for micro, small, and medium-sized enterprises. GDPR Recital 13 states, “Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises”; and GDPR Recital 167 continues by stating, “The Commission should consider specific measures for micro, small and medium-sized enterprises.” Micro, small, and medium-sized enterprises are defined as follows:
The GDPR calls for specific considerations for micro, small, and medium-sized enterprises. Specifically, implementing measures, data protection certifications, and codes of conduct should consider specific measures for micro, small, and medium-sized enterprises. Reference to these considerations are found in various locations within the GDPR:
In addition, obligations related to recordkeeping for data processing do not apply to an enterprise with fewer than 250 employees “unless the processing it carries out is likely to result in a risk to the rights and freedoms of the data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”[8] GDPR Recital 13 states that in order “to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis lawyer:
Houston
Jennifer Mott Williams
[1] See GDPR Art. 3(1) & (2) (discussing territorial scope and applicability of GDPR); see also GDPR Recitals 23 & 24.
[2] GDPR Recital 22.
[3] GDPR Recital 23.
[4] GDPR Recital 24.
[5] See GDPR Art. 4 (18) (noting an enterprise includes “a natural or legal person engaged in an economic activity, irrespective of legal form”).
[6] See id.; see also GDPR Recitals 23 & 24.
[7] See The Commission Recommendation of 6 May 2003.
[8] GDPR Art. 30 (5).