Insight

Not All Businesses Are Treated the Same

The eData Guide to GDPR

August 06, 2018

While businesses of any size can be subject to the EU General Data Protection Regulation, this installment of The eData Guide to GDPR explores whether there are any limitations on type, size, or location under the regulation.

Generally, a business of any size engaged in “economic activity” is subject to the General Data Protection Regulation (GDPR) if it has offices inside the European Union, offers goods or services to data subjects in the EU, or monitors behavior of data subjects in the EU.[1] Though the GDPR does not explicitly define “economic activity,” it would seem to include any professional or commercial activities. Specifically, GDPR Recital 18 states that the regulation does not apply to processing of personal data by a person for purely personal or household activities “with no connection to a professional or commercial activity.” Companies are left wondering, are there any limitations on the type, size, or location that would exclude the concern from regulation?

Your Location Does Not Matter

Any organization that operates in the EU will be subject to the GDPR no matter where the company is headquartered. But the regulation extends far beyond the borders of the EU. Basically, any organization that has customers in the EU will be subject to the GDPR.[2] Similarly, any organization that collects information or data about EU citizens will be subject to the regulation.[3] Thus, many organizations that have no business offices or employees within the EU can still be subject to GDPR. Some examples of extraterritorial businesses subject to the GDPR include the following:

  • A company outside the EU with a website that targets customers in the EU. Evidence of such targeting might take the form of having a website with a different extension for EU residents (such as .fr or .de), providing for ordering in a European language (such as French or German), mentioning EU customers, or accepting payment in euros.
  • A non-EU travel agency selling accommodations, flights, theme park admittance, or tour reservations over the phone or web to individuals in the EU.
  • A non-EU-based research company that collects research data from EU citizens.[4]
  • A business that tracks EU individuals to try to predict personal preferences.

Even a non-EU charitable organization that solicits funds from EU citizens to aid with disaster relief or help fight hunger in third-world countries would likely be subject to the GDPR.[5]

Conversely, according to the European Commission, if you are a non-EU company that only provides services to customers outside the EU (i.e., the business does not target its services to individuals within the EU), even if customers could still use the services inside the EU, the company is not subject to the GDPR. Take, for example, the non-EU-based travel agency discussed above. If the travel agency only provides services to US customers but those customers might use the services while in the EU (for example, a US travel agency helped a US customer book a vacation in Italy), it would seem the GDPR would not apply to the travel agency. Similarly, a small-town bank with local customers that does not target its services to individuals within the EU but allows its local customers to perform online banking or make withdrawals while in the EU would not be subject to the GDPR.

Your Size Does Not Matter for General Applicability of the GDPR

The size of the organization does not matter when it comes to the GDPR. The GDPR applies to a business processing personal data regardless of whether the business is a small-scale business or a global behemoth. If the business operates in the EU, offers goods or services to data subjects in the EU, or monitors behavior of data subjects in the EU, the GDPR applies, regardless of size.[6] Thus, even a small sole proprietor in the United States or Australia that sells handmade items on the internet and ships them to the EU would be subject to the GDPR as “offering goods or services to data subjects in the EU.”

But Size May Still Impact Implementation Provisions

While size may not matter with respect to the overall applicability of the GDPR, the regulation does provide for specific measures to be considered for micro, small, and medium-sized enterprises. GDPR Recital 13 states, “Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises”; and GDPR Recital 167 continues by stating, “The Commission should consider specific measures for micro, small and medium-sized enterprises.” Micro, small, and medium-sized enterprises are defined as follows:

  • Micro: An enterprise with fewer than 10 employees and with annual revenue and/or an annual balance sheet total not exceeding 2 million euros.
  • Small: An enterprise with fewer than 50 employees and with annual revenue and/or an annual balance sheet total not exceeding 10 million euros.
  • Medium: An enterprise with fewer than 250 employees and with annual revenue not exceeding 50 million euros and/or an annual balance sheet not exceeding 43 million euros.[7]

The GDPR calls for specific considerations for micro, small, and medium-sized enterprises. Specifically, implementing measures, data protection certifications, and codes of conduct should consider specific measures for micro, small, and medium-sized enterprises. Reference to these considerations are found in various locations within the GDPR:

  • GDPR Recital 167 (in providing for implementing powers, “the Commission should consider specific measures for micro, small, and medium-sized enterprises”).
  • GDPR Recital 13 (“the Union instructions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation”).
  • GDPR Art. 42(1) (size should be taken into account in establishing data protection certifications).
  • GDPR Art. 40(1) (micro, small, and medium-sized enterprises should be taken into account when drawing up codes of conduct).
  • GDPR Recital 98 (codes of conduct should take into account specific needs of micro, small, and medium-sized enterprises).

In addition, obligations related to recordkeeping for data processing do not apply to an enterprise with fewer than 250 employees “unless the processing it carries out is likely to result in a risk to the rights and freedoms of the data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”[8] GDPR Recital 13 states that in order “to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
Vincent M. Catanzaro

Houston
Jennifer Mott Williams



[1] See GDPR Art. 3(1) & (2) (discussing territorial scope and applicability of GDPR); see also GDPR Recitals 23 & 24. 

[2] GDPR Recital 22.

[3] GDPR Recital 23.

[4] GDPR Recital 24. 

[5] See GDPR Art. 4 (18) (noting an enterprise includes “a natural or legal person engaged in an economic activity, irrespective of legal form”).

[6] See id.; see also GDPR Recitals 23 & 24.

[7] See The Commission Recommendation of 6 May 2003.

[8] GDPR Art. 30 (5).