by Jim Ashton | Nov 13, 2017
The GDPR defines territorial relationships for two groups of organisations:
- EEA and UK based organisations
- All other organisations that deal with EEA and UK based data subjects
Purpose of this document
This document confirms the scope of data subjects for group 1: EEA and UK based organisations.
- ICO: Information Commissioner's Office, the UK's data protection regulatory body
- Article: A section in the GDPR containing regulatory requirements
Territorial scope for EEA and UK based organisations
Article 3 Territorial scope, item 1 defines this relationship as follows:
"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
"The Union"is the EEA including the UK.
The confusion seems to over the geographical scope of data subjects (individuals) that are covered by article 3.1. Does article 3.1 limit coverage to data subjects in the EEA and UK or is coverage for everyone on the planet?
When I initially read article 3, I was a little confused and so were others I spoke to.
After a few conversations, it became clear that any organisation that is based inside the EEA and UK must apply GDPR to all data subjects regardless of where they live.
The impact is self-evident. Every person in the world who has personal data stored by an EEA and UK organisation is protected by the GDPR.
To avoid any further discussion, I thought it best to ask the UK data protection regulator, the Information Commissioner's Office (ICO) for their interpretation.
Here is a transcript of the conversation.
|(12:58 PM) ico_jand:||Hello, how can I help?|
|(12:58 PM) Jim:||Hi, I have a question about data subjects outside the EEA geographic coverage stated by the GDPR|
|(12:58 PM) Jim:||I am a UK company.|
|(12:58 PM) Jim:||I have a customer who is Japanese and lives in Japan.|
|(12:58 PM) Jim:||If I mistakenly expose the Japanese person's data on Facebook and it causes serious personal damage to the person, can this person take action against me under the GDPR because I am a UK company governed by the GDPR?|
|(12:58 PM) ico_jand:||Yes, as you have to comply with the GDPR.|
|(12:58 PM) Jim:||OK. So, for all intents and purposes, the Japanese person's data is the same as all other personal data I hold. It does not matter where the person is from, I have to protect all personal data the way that the GDPR says. Please confirm that this is correct.|
|(12:58 PM) ico_jand:||Yes.|
|(12:58 PM) Jim:||Thanks. That's all for now. Much appreciated.|
|(12:58 PM) ico_jand:||Thank you for using our live chat service. Have a good day.|
The ICO confirmed that all personal data held by an EEA and UK organisation must be processed according to the GDPR regardless of where the data subject lives.
If you are an EEA or UK organisation, you must process all personal data under GDPR rules irrespective of the country of residence or nationality of an individual (data subject).
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?