We’ve heard from a lot of companies recently that were surprised to learn that the EU General Data Protection Regulation (GDPR) applies to them. The Regulation, which takes effect in May next year, is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:
Do you process EU residents’ personal data?
If you do, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
Are you engaged in economic activity?
The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
This green paper is also available in French and Spanish.
Does your organisation have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
So, does the GDPR apply to you?
If you’ve now realised that the GDPR applies to your organisation, you should find out what your obligations are and how you can achieve compliance.
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for organisations of all sizes.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.
Hi Luke
Thanks for the article. I am still unsure about the following.
With a small group of friends I run occasional music gigs fin a small church in Leeds. We have a email mailing list of people who have bought tickets for our gigs or who have otherwise asked us to put them on our mailing list. We do not hold any information apart from name and email address. Does the GPDR apply to us? We are not a company or an otherwise “legal entity”, we are just a bunch of friends. We do most promo through our facebook page.
Also, I have lots of friends and acquaintances who are musicians/in bands and this lead to me wondering if GPDR will apply to them? Again they have email mailing lists of fans, but are not “companies” or (as far as I know) “other legal entities”
Thank you,
Confused in Leeds
PS How long did the kg of jelly beans take to eat?
It depends if you’re raising any money from your gigs. The GDPR defines an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.
If that applies to you or your friends/acquaintances, you’ll need to put in place all the requisite GDPR compliance requirements. I suspect that might more trouble than it’s worth, in which case you could look for ways to spread information about your band without collecting personal data.
Hi Luke,
My company has contact details of employess of our customers which use for general day to contact (technical support, general queries etc). We don’t use it for marketing or any kind of unsolicted sales. We are a small company of less than 50 employees. Would GDPR still apply to us?
Hi Dan,
The GDPR doesn’t just apply to marketing activities. It refers to all data collection that’s part of “economic activity”. No matter what size your organisation is, and no matter what you do with that information, the GDPR will apply if you are collecting EU residents’ data.
I run a village email service providing parish council information (agendas and minutes), information from various government departments (Health & Safety, Police, Trading Standards), village announcements (upcoming events) and any information useful to villagers. It is an entirely charitable venture with no economic activity involved and no product advertising or political messages. I have just over 100 people on my email list.
All my subscribers have personally applied to join over many years, their applications deleted after sign-up, and it will be a nightmare obtaining fresh applications (confirmations) for filing. So does GDPR apply in my case?
Sorry Luke, please forgive my bad manners in not thanking you for excellent article. I have passed it on to many who are troubled by GDPR.
Hi David,
The GDPR applies to any organisation involved in “economic activity”, and it’s not immediately clear if that applies to you. Economic activity isn’t limited to for-profit companies (charities are subject to the Regulation), nor does the data collection have to be directly related to economic activities (information can be collected for any number of purposes). It’s probably worth seeking legal advice from someone who is able to learn more about the data you collect and the way you use it.
Luke,
It is certainly confusing, but although I used the term ‘charitable’ my village email service really does involve no financial activity – no sign up fee, no fund collections, just the sharing of official and local information. What little costs are involved are funded by me as my small service to the village. Nor do I hold any personal information apart from the name and email address of each member of the list. But I will of course seek legal advice and thank you for your help.
You will probably need to comply. I am secretary to a PTA and we have to comply – we only keep names and email addresses of parents at the school and that falls under the remit of GDPR.
If my company is located in Country X (outside EU) and processes data of EU citizens who reside in Country X (outside EU) is my company then liable to comply with GDPR?
Yes, Asha, that’s correct. The GDPR applies to all EU residents.
Is it “EU Residents” only, or also “EU Citizens residing outside of the EU”?
For example, an American living in Europe, is a EU Resident. A Dutch citizen living in the US, is not a EU Resident, but still a EU Citizen.
Can you clarify which of these scenarios make GDPR in scope?
Hi Simon,
The GDPR’s terminology makes this a bit confusing. The GDPR applies to anyone who is in the EU; that typically means residents, but it also refers to tourists/visitors — so ‘citizenship’ isn’t really relevant. In fact, confirming someone’s citizenship is a murky personal data situation itself.
However, the GDPR also applies to EU citizens who aren’t in the EU (temporarily or permanently).
Both people in your example would be subject to the GDPR.
Hello Luke,
Some very helpful information here. Is there any difference between personal and business information? We hold business contact information for our customers but not their personal information. eg, a persons work phone, work address, work email etc but not their home or personal information.
Thank you.
Hi Jason,
The term ‘personal’ in ‘personal data’ doesn’t mean the same thing as, say, ‘personal life’ (as in one’s personal email, etc.). Really, it means anything that can identify one person from another. If someone has their own work email address or phone number, it would be considered personal data.
Thanks Luke. That helps. Excellent information here!
Hi Luke
Does the information you hold and the under the regulation ONLY apply to EU residents, or those outside of the EU? We have many Chinese clients and I was wondering whether we need to contact them as well?
Any help much appreciated!
Best regards
Tony
Hi Tony,
The GDPR only applies to EU residents’ personal data.
Hello Luke ,
Thanks for the article .
I do have couple of Doubts regarding GDPR , My company is basically into HealthCare Provider ( Hospitals) established and Operating in Middle East. We do have staff and Patients who are EU Citizens , Our concern is that whether our Company will fall under the Umbrella of GDPR. On an additional note Our Company is listed London Stock Exchange.
Second Company is into Pharmaceutical Manufacturing and we do exports to European Countries did this company also fall under the Umbrella of GDPR
Third Company is into Pharmaceutical Manufacturing and R&D , and this company is going for Clinical Trials in EU so did this company also fall under the Umbrella of GDPR ?
Thanks You
Hi Diljith,
Any processing of personal data belonging to EU residents (whether they’re staff or patients) falls under the scope of the GDPR. Similarly, if you are collecting personal data of EU residents while doing clinical trials, the GDPR applies.
Exporting goods to the EU doesn’t fall under the scope of the GDPR, unless you are collecting personal data while doing so. (Perhaps you have contact information of suppliers in the EU).
Hi Luke ,
To be more precise , my concern is over Citizen and Resident , in one article it’s mentioned that ” It should be noted that the GDPR does not apply to the personal data of E.U. citizens; it applies to the personal data of individuals who are in the E.U. when their personal data is collected from them. Those protections then follow that data if it is transferred outside of the E.U”
So if we have EU Citizen as Patient or Employee , did the GDPR implies to us ?
Ref : https://blog.willis.com/2017/05/the-e-u-s-general-data-protection-regulation-are-the-natural-resources-industries-ready/
Hi Diljith,
The article you reference is essentially correct. The GDPR applies to two sets of people. First, to anyone who is in the EU. That typically means residents, but it also refers to tourists/visitors. Second, it applies to EU citizens who aren’t in the EU (temporarily or permanently).
If you have EU citizens as patients or employees, the GDPR applies to you.
Hi Luke ,
When we went through the checklist for GDPR Compliance , there found a requirement for LSA ( Lead Supervisory Authority ). In our case we don’t have any establishment in EU countries and we do deal with EU Citizen data. In this case what will be the better option to comply.
Note : We do have one Acquired Entity in Spain.
Hi Diljith,
You should probably choose Spain’s data protection authority.
Hello Luke,
Does GDPR only apply if your customers are private persons not if they are other business (so B to B)?. I think of the individuals within organisations that you may keep business card type of information about.
Hi Anders,
The GDPR applies to all EU residents, no matter how you are related to them (B2C or B2B) or what personal data you hold on them.
Hello Luke,
We are a US based pizza company with online ordering system. Does GDPR apply to us if EU citizen is vacationing (or temporarily living) in US and orders a pizza from us providing their name, address and credit card info?
Hi James,
The GDPR applies to all EU residents (no matter where they are or the data is processed), so yes, the GDPR would apply. Given how complex it is to comply with the GDPR, you’d probably be better off finding a way to not collect personal data wherever possible.
Luke,
I just came across this scenario from another GDPR Blog that seems to contradict your response above. Can you please clarify or am I missing something here?
A tourist from the EU logs onto the website of a nearby US pizza restaurant from their US hotel. They provide personal data such as credit card details and name, to order a pizza delivery to their US hotel = GDPR is not applicable – this is not a product or service being provided in the EU.
Hi James,
That blog is wrong. The GDPR doesn’t make it especially clear, but eugdpr.org summarises: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.”
Hi Luke. Thanks for the great article. As per the GDPR Article below:
Rec.22; Art.3(1)
The GDPR applies to organisations that:
– are established in one or more Member State(s); and
– process personal data (either as controller or processor, and regardless of whether or not the processing takes place in the EU) in the context of that establishment.
I would think in the scenario above that GDPR is not directly applicable, unless the US-based pizza restaurant also has presence in one or more of the member states of the EU. How would the EU be able to enforce the regulation? I would certainly advocate awareness around the intention of what GDPR is looking to achieve.
Hi Kelvin,
Let us be 100% clear: the GDPR applies in that scenario. See Rec. 23 Art. 3(2), which is essentially a more long-winded version of the eugdpr.org summary (see above): “The GDPR applies to organisations established outside the EU if they […] process the personal data of EU residents when offering them goods or services”.
Organisations outside the EU that collect EU residents’ data need to select an EU supervisory authority, who will be responsible for enforcing the GDPR. A common criticism of the GDPR is how viable this is. Nonetheless, it’s the law, and any organisation that doesn’t abide risks strong punishment and reputational damage.
Hi James,
Thank you for taking the time to post the article and reply to those with queries.
I am part of a committee who run free events to knowledge share construction best-practice.
We hold email addresses, names and job titles.
We take no money, all events are free and the email is only used to send out reminders to register for the next event and when the Christmas meal will be!
Is this excluded from the “Economic Activity” criteria; or should we prepare for the GDPR date?
It appears to be low risk to my mind?
Regards,
Pete Hughes
Hi Pete,
The GDPR doesn’t explicitly state what counts as “economic activity”. Although you might be okay, the term could broadly apply to any services offered, regardless of whether they were free or not (charities, for example, are subject to the GDPR). If you’re in any doubt at all, you should consult a legal professional.
Hi Luke
GDPR mentions data subjects “who are in” the EU
Some articles mention “citizens of EU” and others “residing in the US”
What are the correct considerations to have. It does make a difference if I am a German residing in Mauritius or I am a Mauritian residing in Germany
Thanks!
Hi Shameem,
The GDPR applies to two sets of people. First, to anyone who is in the EU. That typically means residents, but it also refers to tourists/visitors. Second, it applies to EU citizens who aren’t in the EU (temporarily or permanently).
The Regulation would apply to you in both scenarios you mention.
Does GDPR apply to NGOs that accept only donations and does GDPR apply to Government Organisations?
Does GDPR apply to your organisation? Since I have to leave my email? 🙂
Hi Darko,
Yes, the GDPR applies to government agencies and NGOs — provided they collect EU residents’ personal data.
Luke,
Does volume come into play at all? We have a call center in US that supports our US business, but occasionally we may receive call from UK customer with a complaint as they contacted us by mistake instead of the UK call center. The US call center takes their name, email address, phone number and passes info along to UK for follow-up. Last year there were less than 70 occurrences of this. Does our US call center need to be in GDPR scope if it is not intending to support UK customers.
Hi James,
There is no exemption for volume, so in theory, you would be subject to the GDPR. However, you’d probably be better off not taking down their information and instead giving them the UK number.
I own a repair buisness I keep my customers names written on a sheet of paper I am a sole trader how do I stand on the new regulations.
Hi Anthony,
First, it’s worth clarifying that the GDPR applies to any enterprise that collects EU residents’ personal data, no matter what size. Our blog has covered what sole traders need to do to prepare for the GDPR.
However, if you are only collecting names, you might be okay. A name by itself isn’t necessarily personal data. We’d always advise erring on the side of caution, though, and would suggest you consult a legal expert about your data collection process.
Luke, I’m not sure about the second part, personal data is any data that can be used to identify an indivual. Given the fact that I know the names and possibly the location of Anthony’s repair business, I can make educated assumptions, which by the Working Party 29 articles, raises the ease of identifiability, which leads to a higher severity score should there be a databreach.
As we said, a name by itself isn’t necessarily personal data: many names aren’t unique (like, say, “John Smith”). Knowing the location of the repair shop is academic; it’s not part of the personal data, and you’d need to do more research to connect the names to nearby addresses.
From what you write and other articles I have read, the GDPR would apply to the US Government when it is collecting visa or taxation information on EU citizens. If so, is this not a good example that the whole thing will be more or less unenforceable in most cases outside the EU? The pizza company example is small beer compared to the US Govt.
Organisations outside the EU that collect EU residents’ data need to select an EU supervisory authority, who will be responsible for enforcing the GDPR. A common criticism of the GDPR is how viable this is. Nonetheless, it’s the law, and any organisation that doesn’t abide risks strong punishment and reputational damage. If the US government were to be fined by another country’s supervisory authority, it would look very bad indeed.
Hi Luke,
Thank you for all your tips ! My question is if I am working with certain individuals in large companies, can I send a generic consent request to one of my contacts at that company or perhaps the CEO, or do I need to obtain the consent from any person I have contact with at that company. Many thanks !
Regards
Daniel
Hi Daniel,
It depends why you’re contacting these people. The GDPR only applies if you’re collecting and storing personal data. If you don’t plan on storing the data (i.e. you only want to email them for work-related (or personal) purposes), you don’t need consent.
Apologies but I have another (basic) question. The idea of GDPR is to protect data obtained in the context of your economic activity. Is the consent therefore required from the person you have obtained data from or from those you might be sending that data to, or both ??
Thanks again
Daniel
Hi Daniel,
Consent (or any lawful basis) is only applies only to the people you are collecting data from. But remember, requests must state what the organisation plans to do with that data, including whether it will be sent to any third parties.
Hi Luke,
We are not working directly with EU. If don’t meet the GDPR partly or at all , what is the possible repercussion?
Thanks,
Julien
Hi Julian,
Assuming that your organisation collects EU residents’ personal data (and therefore that the GDPR applies to you), your supervisory authority could put in place enforcement actions requiring you to meet the GDPR and possibly even fine you. In extreme cases, non-compliant organisations face fines of up to €20 million or 4% of their annual global turnover, whichever is higher.
Hi Luke,
Would GDPR apply to a school charity whose purpose is to raise funds for the schools resources?
Thanks!
Hi Dylan,
Yes, the GDPR applies to schools and charities. Given how time-consuming GDPR-compliance is, you might be better off finding a way of raising funds without collecting personal data. For example: cash donations with no names attached.
Through my hobby I belong to three groups each of no more than 50 members and one Guild with about 1400 members a members details name address,e mail and phone number are kept on a members PC it may be the treasurer as a members pays an annual subscription to cover administration costs.The details are kept for the purpose of sending members news letters and any other information that members would need to know about.There are no economic issues,no business,no sales just groups of like minded people.
Does GDPR apply to such groups/Guilds
Hi Charles,
Yes, the GDPR would apply. The notion of ‘economic activity’ is vague, but it’s definitely not limited to for-profit organisations. Guilds, societies, memberships, charities, etc., are all within the Regulation’s scope.
Hi Luke – you must be fed up with all these questions by now but just wondered if you can clarify for me – just as I convince myself GDPR doesn’t apply to us I read the above and am now unsure again. We are a small builders (5 people) and the only data we hold is our clients name and address – for invoicing purposes. We don’t do anything with it. Thanks so much for your time!
Hi Jo,
You’re welcome. Names and addresses count as personal data, so the GDPR applies to you. (Similar data about your employees, as well as payment information, would also count.)
I run a small Christian Bookshop, which just about covers cost.
I am a sole trader and keep no sensitive information about customers or suppliers. How will GDPR regulations affect me?
Hi Patricia,
If you don’t store personal data, then the GDPR doesn’t apply to you. However, you should be aware that the definition of personal data is very broad, and it might include information that you don’t think would count. Take a look at our blog explaining the definition of personal data (https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data) for more information.
Hi Luke,
Very informative article.
We are a company in the EU and have many remote employees in and around other countries.
1. We’d like to know what impact GDPR has on the remote employees (who deal with EU customers) and data leaving the EU (during work)?
2. What steps should we take?
Please advise.
Regards,
Natasha
Hi Natasha,
Thanks! I’d recommend checking out our blog on remote workers (https://www.itgovernance.eu/blog/en/gdpr-the-implications-of-working-from-home-or-on-the-road) for answers to these questions.
Hi Luke,
I run a small internet forum with a handful of active users, but quite a large database of members who are no longer active on the forum. The data consists of email addresses only – no other personal data is requested, as members can choose a user name (most don’t give their own real full name) for display on the forum. The forum software collects IP addresses to identify members, and to administrate their accounts. Only the forum administrators can view these IP addresses. We do not engage in any “economic activity”. There is no membership fee, no charges for use of the forum, and no business activity. The forum is basically just a message board for innocuous chatting, and occasional knowledge sharing. We have privacy and cookie policies in place (cookies are only used to allow basic functionality of the forum, such as keeping users logged in, remembering last posts, etc), and we don’t share any data whatsoever elsewhere. Do we still need to comply with GDPR, even though this is basically just a private members’ message board?
Thanks,
Simon.
Hi Simon,
Email addresses are considered personal data, so – technically – the GDPR applies. Think of it this way: even if a criminal hacker gained access to only your email address, they could still cause a lot of mischief. You might decide that you don’t have the time or resources to comply with the Regulation’s requirements, but there will probably be opportunities to outsource GDPR compliance to a third party.
Hi Luke,
As an SME who do hold ‘personal data’ from customers who have purchased goods previously.
We have emailed pdfs of invoices, statements, plus other marketing information to them for over 5 years, without them requesting their details be removed.
What should we do now? Do we email them all and ask them to confirm its ok to carry on or just start from now going forwards?
Hi Heath,
As part of your GDPR preparations, you will/would’ve documented a lawful basis for processing data. In your case, contractual obligation would probably be the most suitable basis. You should send a privacy update to your customers explaining what data you collect and why. You should also let them know about their rights under the GDPR and tell them how they can exercise them. For example, you will need to provide an email/postal address for subject access requests.
Hey Luke, my web system stores person’s provided username from a 3rd party online virtual game along with their unique game’s uuid (unique 64 character/number long string). So I don’t even know who and from which countries these people are. Nor I can identify real persons behind these two values. 3rd party online virtual game creator has the database which might lead to real persons behind those names. But for that reason they have their own privacy policy. Does GDPR affect me in this case? Thank you!
The information you receive isn’t classed as personal data, so the GDPR doesn’t apply.
Luke,
I’m with a non-profit org in the United States that is a very seasonal operation. We employ far less than 250 year-round people. But during peak season, we exceed 250 employees for a few months. Does the “250 employees” refer to year round permanent employees? Or does it count seasonal people as well?
Hi Barry,
That’s a very good question. You would probably be fine, but it’s worth seeking the opinion of a data protection expert.
Hi Luke
My husband and I are a two-person limited company (education consultants). We don’t hold personal data. The only data we have are the names and work addresses of school leaders (our customers) and other businesses we deal with such as publishers (on our invoices to them and in correspondence).
I don’t think the GPDR applies to us — does it?
Thank you
Hi Elizabeth,
Names and addresses are considered personal data, so the GDPR does apply.
Hi Luke, and many thanks for both the original interesting article, as well as for your most constructive replies to all who have asked for clarification on various aspects of GDPR.
I’m not too certain about the following, but as I understand the situation/what I’ve read, it would appear that with effect from 25 May 2018, the Data Protection Act (DPA) will cease to exist, and the General Data Protection Regulation (GDPR) will be instituted in its place.
Whilst in essence I don’t have any problem with that (if indeed the one replacing t’other is indeed the case), where I DO have ‘concerns’ (I’m a sole-trader) are;-
a) finding a template to use for contacting each and every customer on my database, in order for me to explain the situation, and to ask for their permission to continue holding such informtion, as well as to using the latter for keeping in contact with them,
and
b) when I wear my other ‘hat’ – i.e. as a Family Historian’ with contacts (and therefore their contact details and personal information) all over the world, the situation as at ‘today; is that the information I currently hold on and about others is governed by the Data Protection Act. However, IF the DPA is indeed ceasing to exist from 25 May 2018, and also IF – as a private individual holding personal information about others doesn’t fall under the remit of the GDPR, can someone please explain what Law will be in existence to ensure that the data I hold is compliant, and that such Data is protected?
GDPR has been most confusing (to say the least) up til now, and if it hadn’t been for the help and guidance of persons such as yourself, it would be true to say (from my own experience) that the body responsible for GDPR’s implementation, collection of the Data Protection Fee and probably the extraction of punitive fines from those not in compliance with GDPR, has not only failed to be helpful in Plain English, but – as I have discovered from lots of Businesses with whom I’m in contact – very few of them have heard of GDPR, let alone know who to contact, what to do to comply, or feel/believe that GDPR won’t apply to them!
By the look of things, the implementation of GDPR and its post-25May2018 future would seem to suggest that we’re all in for one roller-coaster of a ride!”
Hi John,
Thanks! You are correct that the GDPR replaces the DPA, but it doesn’t create a compliance gap, as you suggest. As with the DPA, the GDPR applies to any personal data that’s collected for a reason other than “household activities”.
As far as we can tell, there is no template for contacting customers regarding retaining their personal data. That’s because the needs will vary considerably from organisation to organisation. It’s also because many organisations are steering away from consent. The GDPR discourages its use, because it’s unreliable, and instead urges organisations to seek one of the six other lawful grounds.
You might see more organisations providing updated privacy policies in the coming weeks that explain the changes to the way they collect personal data.
Hi. I’m really unsure if this applies to me. I’m a mobile hairdresser, as are a lot of my friends. The only information I hold is their name and what colour I put on their hair. All messaging is through Facebook messenger. I don’t even have their phone number on record. They tell me their address through messenger but I don’t have records that I hold at home… I’m presuming thus does not apply to me. I haven’t even heard about this. Literally one person has mentioned it to me yesterday. First I’ve heard of it…
Hi Jessica,
If you stored any kind of personal data, the GDPR would apply. Name, messenger contact info, address and hair colour all count as personal data, and FB Messenger retains conversations, so that counts as storing. However, we can’t imagine it’d be worth your time to fully implement the GDPR. You might therefore be better off finding a way get this information without it being automatically stored somewhere.
Hi, I have a home run wedding cake business and have customers name, email address and phone number on their order form. The order form is kept on my laptop that is password protected and I also print out a copy and keep it in a lever arch (in case my laptop dies on me). I only ever contact them to discuss their cake order. Once the order is complete I move their order form to a ‘completed folder’ on my laptop and place the paper one at the back of the ever arch file. I’ve done this since I started in 2014. I do hot hold any financial details in regards to my customer, they pay via bank transfer or Paypal. What do I need to be doing as I am very confused by it all.
Hi Gill,
You’re certainly not alone in feeling confused! Unfortunately, the GDPR applies in your case (it affects any organisation that collects EU residents’ personal data) and there’s a lot you’ll need to. You can learn a little more by reading out GDPR information page or watching our introductory webinar. As for implementing its requirements, you would probably be best advised to consult with a data protection expert.
Hi
Hope you can help
We run a residents association does GDPR apply ?
We do collect money and we have ballot papers which would include names and address
Thanks
Hi Geoff,
Yes, the GDPR would apply to you.
Hi Luke
Thank you for posting this article and responding to queries. I certainly appreciate the time you have taken to provide an explanation to so many of us that are confused.
With respect to the right of erasure/right to be forgotten (Article 17 of the GDPR), if my non-EU-based company must comply with local legislation requiring retention of customer information for a period of time, will that local obligation take precedence over the erasure obligation in the GDPR?
Hi Kim,
Yes, you can reject someone’s right to be forgotten if you have a legal obligation to hold the data.
Thank you.
As an artist who keeps data to inform people of my courses and exhibitions and opportunities to buy – do I have to comply?
Hi Susan,
The GDPR makes no exceptions for the reasons people/organisations collect personal data, so the GDPR applies. You might be best of finding a third party to manage data collection.
WE have a small building company I am a sole trader one employee and I do extensions etc
I do one job at a time and the only information I keep about my clients are name address
maybe e mail and phone number does GDPR apply to me
Hi Jenny,
As with current data protection rules, the GDPR makes no exceptions for either the size of an organisation or the volume of data it collects – so, technically, the Regulation applies to you.
Hi Luke. I wonder if you can help with my query. My husband is a private individual who takes photos at dog shows and posts them on Facebook on the relevant dog show society’s page or on his own page. It is a hobby and no charge is made and no personal details are taken although individuals may be tagged by him or by other people.
Does GDPR apply to him? Will he have to get written consent from everyone?
Many thanks. Jane
Hi Jane,
As with current data protection rules, the GDPR makes no exceptions for either the size of an organisation or the volume of data it collects – so, technically, the Regulation applies to you.
Hi there. Great article. Still not clear though whether my company is under the remit of GDPR. I run a very small (just me) language consultancy company, and the only data I hold about people is their names, email addresses and sometimes phone numbers and work addresses. I don’t market to them – I simply provide a service for the companies they work for and use that data to communicate with them. Is it relevant to me?
Hi Nick,
If you collect and store EU residents’ personal data, then the GDPR applies.
Hi,
We are a Non-EU company who employs over 250 employees.
We have about 20 employees who are EU Based.
Would we be considered a “small company” or would we be obligated for GDPR.
Many Thanks.
Ellen
Hi Ellen,
The GDPR considers the 250 employee rule as referring to the entire organisation, rather than just one branch or section.
Hello, Luke, I am self-employed and do not employ anyone else, I hold names, addresses, phone numbers & emails of my customers but none of it electronically ( all on paper), can you please advise if I will be affected? Many thanks
Hi Claire,
Yes, the GDPR applies.
What if I don’t know whether the information I have belongs to EU residents or not? I’m an author with a mailing list that people can sign up for, but I don’t ask them where they live. Statistically it seems likely that some are from the EU, but I don’t know for sure.
I’m also not sure if my mailing list counts as “economic activity.” No one pays me directly for my books; they pay Amazon or other booksellers. Any help appreciated. This is so confusing to me.
Hi Eleanor,
It’s probably best to adopt a single, GDPR-compliant approach to collecting personal data. The definition of ‘economic activity’ is very loose, but it would probably occur here. It generally refers to anything that isn’t business-related (like Christmas card lists).
Hi Luke,
I am organiser/treasurer of a golf trip which involves managing APIS information for flight group bookings – does GDPR apply to me?
Kind regards,
Ray
Hi Ray,
If you collect and store EU residents’ personal data, then yes.
Thank you for the helpful article and answering all the questions which is very helpful. We are a small business and only deal B2B so only we only deal with our business contacts via email so I assume that GDPR does not apply to storing business emails. My question is whether GDPR applies to information held about employees and whether they need to notified about the changes.
Hi Alex,
If you store your business contacts’ email addresses (and they are EU residents), the GDPR does apply to them. As with employees, you will need to document a lawful basis for holding them. For the former, legitimate interests would be most applicable; for employees, contractual obligations are most suited.
First of all, a huge thanks for your article and the many responses (often to exactly the same question that others have asked) you have very patiently given.
Based on the above I now understand that GDPR applies (in a nutshell) to anyone in the EU, or an EU Citizen outside of the EU – but I have a question…
Take the example (somewhere) below, regarding the Pizza place in the USA that accepts an online order from an EU citizen in the hotel next door. Obviously, in this case, GDPR applies – but how would the Pizza place know it is an EU citizen placing the order?
Does this mean on every order form you have to have something which asks “Are you either in the EU, or an EU citizen?” and what would happen if the person who orders the Pizza declines to state, or simply doesn’t answer the question, or answers it incorrectly?
Do we then (wrongly) assume GDPR doesn’t apply?
This whole thing seems to have been very badly thought through and appears to be more about putting money into the EU (by way of extortionate fines) than actually protecting an individual’s personal data.
Mind you, I guess they’ll need something to fill the black hole in their budget once the UK leaves next year!
Thanks, Nigel. Organisations that target both EU and non-EU residents will probably use a single GDPR-compliant system, and treat everyone as if they were an EU resident.
Your comment about fines is very common, but many supervisory authorities have said fines will be a last resort.
Does GMAIL is one big database full of personal information? In other words, would we have to delete every trace of personal data on our customers, suppliers and individuals at businesses that we are in regular correspondence with?
Hi Frankie,
You don’t necessarily have to delete anything. You just have to make sure your personal data is collected and stored in compliance with the GDPR.
There must be incalculable numbers of very small groups of people who meet for social occasions under all sorts of auspices, amateur musical groups, cribbage teams entertaining pensioners, with minimal income etc. The data is simply the names of current members and others who have assisted them and whose contact information may be needed again. It is indescribably onerous to put this nonsense as a requirement and I suspect millions are unaware or choose to ignore. I cannot imagine the Regulator pursuing a small group under these circumstances, who I would hope would be laughed out of court.
Does the GDPR apply to residents outside the European Union participating in a clinical study in a country outside the EU but the information obtained from the study participants’ is processed in a EU country?
Hi Rivka,
The GDPR’s scope isn’t affected by the location of processing. If the data subjects aren’t EU residents and the organisation isn’t based in the EU, then the GDPR doesn’t apply.
Hello Luke. Thank you for an informative article. I did however have one question:
In your article you state the following:
“To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity.”
However on the official website of the EU Commission the following is stated:
“Regulation (EU) 2016/6791, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.”
(https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en)
These statements seem to be at odds. Did you find any other sources to support your claim that the GDPR does not apply to individuals, or was it a matter of interpreting the wording of the regulation?
Hi Luke (and Niall),
Many thanks for the informative article and many replies. A question asked by Jessica on 13 April intrigued me. She mentions that the only personal data she might have would be stored within FB messenger exchanges and I understand the to probably be at least in part linked to FB profiles of the other users. Where is the boundary between what is under FB’s responsibility and the business user? And of course FB just being an example here of something that could apply to many other online services.
Thanks in advance.
Hi,
Thanks for the article and the responses.
Does the GDPR apply to a non-EU company processing non-EU personal data that is supplied by an EU company?
In other words, company A is based in a non-EU country, and is processing personal data specifically of residents in its’ own country, with no intention of branching out to other countries.
However this personal data is supplied by an EU-based company B, who collects the non-EU data.
Does company A fall under the GDPR?
Cheers,
Dolf
I am chairperson to a residents association of 37 members. We collect subscriptions and hold email and emergency contact details of both residents and their family members. Part of the subscription is passed to a third party along with address phone and email if our members to allow for subscription to a legal advice service specifically for residents associations. Do we need to comply with George and if so at what level?
I work with a business with currently about a 100 employees. Before I joined, the company asked the employees for consent to email, post or Whatsapp them relating to the business. A couple of employees have opted out and have requested for contact. I am sure this is incorrect but wanted to clarify, surely I can communicate with an employee for the needs of the business?
Hi Ying,
Generally, asking employees’ consent can be problematic due to the GDPR consent rules. In this case specifically, it is actually unnecessary if you can justify the processing because it is necessary to fulfil contractual obligations with the data subject (employee) or because it is necessary to pursue legitimate interests of the controller (employer). In sum, yes you can communicate with employees for needs of the business and consent is not necessary.
Hello Luke and Niall,
I would really appreciate if you could give me a quick advice regarding my case.
I have a small private diet-related (Wix engine) website that doesn’t use analytics/user accounts and it’s not collecting personal information except IP addresses and cookie-related info I believe.
So, this is not a company or non-profit organization, just a personal website (educational).
It has a contact form where users can type their name and e-mails. That’s all.
The website by its nature has some built-in apps like chat box which is active and many other apps that are not added or active.
Which part of GDPR I need to satisfy to make this website secure for my visitors?
I assume that cookie-related policy should be enforced. What else besides that?
Many thanks!
Hi Denis,
Since there is processing of personal data of website visitors other than the cookies you mentioned, you should consider publishi a privacy notice to the website visitors. Ideally, you present a link to them contextually. For example, when they are filling in the form with the name and email you can provide that link that directs to the privacy policy of the website. The content of the Privacy notice/policy needs to comply with the requirements of article 13 GDPR. Namely, you need to explain to the data subjects what are the purposes of the collection of the name and email, who is the data controller, for how long will you keep it, how will you contact with them or any other applicable information required in art.13 or that you find necessary in order to be transparent.
This is not about making the “website secure” for your visitors but rather complying with the requirements of the GDPR which empower the data subjects i.e the website visitors.
Hope this helps.
Hi Luke,
In the article above you state that:
“To fall within the remit of the GDPR, the processing has to be part of an “enterprise”.”
Is this statement accurate as the GDPR also applies to non-profit making concerns?
Hi Fiona,
Enterprise is a term that’s actually used in the GDPR. In this context, it’s essentially another word for ‘organisation’.
Hi Luke
we are an european network with around 50 members with a web site from various EU countries. Members can register on the web site, we do send newsletters and mailings to them and provide some services to them (as bursaries to come to our meetings…)
Our organisation deals with a rare disease, and receives fundings from a medical society
I am sure we need to comply to GDPR, but is it possible as we are registered anywhere ?
Hi Anton
You are correct – you do need to comply with GDPR as you are a data controller. To see if you need to be registered with a data protection supervisory authority, and to understand all your data protection obligations, you need to review the data protection law within the country where your company (or Head Office) is established, as well as the GDPR. You should also check the website of your data protection supervisory authority – they should have good advice on how you can become data protection compliant.