datos alt

This post is also available in: Español

One of the legal highlights of the year is that the General Data Protection Regulation (RGPD) will finally come fully into effect on May 25, implying significant changes in the processes and policies used by companies for collecting and processing personal data. As a result, a large number of organizations are immersed in the process of adapting to a new framework that poses many questions and could therefore cause errors when designing the new policies and procedures.

 

Cuatrecasas has been involved in the process, advising many clients on this type of projects. Precisely in the context of this legal advice we have noticed that all the organizations undergoing the process have recurring questions, and sometimes errors.

Here we launch a series of 12 blog posts where we have compiled the questions and errors that, in our firm’s experience, come up most frequently when implementing the RGPD. We have collaborated with leading European law firms such as Chiomenti (Italy), Gide Loyrette Nouel (France), Gleiss Lutz (Germany) and Stibbe (Belgium) to identify the issues.

 

Here is the first question:

DOES THE RGPD APPLY TO ALL ENTITIES THAT ARE RESPONSIBLE FOR OR THAT CARRY OUT DATA PROCESSING OF EUROPEAN UNION RESIDENTS?

Not necessarily. Although the scope of the RGPD’s regional application is broadly defined, it does not apply to all organizations that carry out data processing of individuals residing in the European Union (EU). In this regard, article 3 of the RGPD specifies the criteria or connecting factors that should be met for this regulation to be applicable:

  • First, the RGPD will apply to personal data processing in the context of activities carried out in the establishment pertaining to the data controller or the person responsible for the processing in the EU, regardless of whether the processing takes place in the EU or not.
  • Second, the RGPD will also be applicable if the data controller or the person responsible for processing, despite not being established in the EU, conducts personal data processing activities of people who are in the EU (i.e., residing outside the EU but who are located in Community territory). In this case, the RGPD will apply when the data controller or the person responsible for processing provides goods or services for those parties in the EU, regardless of whether they have to be paid for or when they monitor behavior, in so far as they take place in the EU.
  • Third, the RGPD will also apply to personal data processing by a data controller who is not established in the EU but in a place where Member State law is applicable under public international law, as in a diplomatic mission or a consular office of a Member State outside the EU.

 

We will be back here in a week’s time to answer another question!

This post is also available in: Español

Autores:

Socio

96 artículos



albert.agustinoy@cuatrecasas.com