Does Your Business Have A Customer, User, Employee, Member, Investor, Or Prospect Who Lives In The European Economic Area?
Hinckley Allen Privacy & Data Security
April 10, 2018
By: Nancy R. Wilsker
If you answered “yes” to any category, read this now:
If your business collects “personal data” from a resident of the European Union or of any of the additional three states in the European Economic Area, you must comply with the EU’s General Data Protection Regulation (GDPR) by May 25, 2018. If you haven’t already started, you should do so now even if your business cannot be in full compliance by the deadline.
Unlike previous EU privacy and data security laws, the GDPR specifies significant penalties for violations: up to the greater of 20,000,000 Euros or 4% of the violating company’s worldwide annual revenue (not just the company’s EU revenue).
Here are the 5 facts you need to know first:
- “Personal Data” means “any information relating to an identified or identifiable natural person.” This is a broader definition than under most U.S. laws, as it captures any information that can be used, directly or indirectly, to identify a specific individual. Therefore, name, address, identification number, IP address, location information, and many other identifiers are all “personal data.”
- There are 28 countries in the European Union: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and (until Brexit occurs) the UK. The European Economic Area consists of the 28 EU countries plus Iceland, Liechtenstein, and Norway.
- An organization must have a lawful basis to process personal data. “Processing,” as used in the GDPR, includes collecting, storing, using, and other operations. The lawful reasons to process personal data are consent of the data subject, performance of a contract, compliance with a legal obligation, protection of a person’s vital interests, public interest, or pursuing a person’s legitimate interests. If an organization processes personal data on the basis of consent, the data subject must have complete control over the information, including the right to withdraw consent at any time.
- There are additional restrictions on personal data of children and on special categories of information. “Special categories” include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, … genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation….”
- An organization can take information out of the EU only if (a) the European Commission has made an “adequacy decision” with respect to the laws of the destination country; (b) standard contractual clauses are used between an EU transmitter and a non-EU recipient; (c) binding corporate rules apply to the non-EU receiver; or (d) there is a binding and enforceable code of conduct or certification mechanism in place to apply the appropriate safeguards. The Privacy Shield adopted in the U.S. in 2016 and administered by the U.S. Department of Commerce is an “adequacy decision” for purposes of these rules, which means that participating in the Privacy Shield and committing to comply with its principles will be one of the main ways U.S. companies will be able to bring personal data of EU data subjects to the U.S.
This brief summary is not a complete explanation of the 99 Articles and 173 Recitals that make up the GDPR.
For any questions, please contact the Hinckley Allen attorney with whom you regularly work, or one of our Privacy & Data Securities attorneys.