The GDPR applies to any company, organisation or entity that processes the personal data of individuals within the EU or the EEA, regardless of where they are located.  

This includes companies located outside the EU that offer goods or services to individuals within the EU/EEA, whether for free or for a fee. In addition, entities that monitor the behaviour of individuals within the EU/EEA are also subject to GDPR regulations. 

The territorial scope of the GDPR extends to the processing of personal data of individuals within the EU/EEA, regardless of where the company or organisation processing the data is located. 

This means that the GDPR applies to companies within the EU/EEA and those located outside the EU/EEA, as long as they offer goods or services to individuals within the EU/EEA or monitor their behaviour. 

The GDPR stipulates significant fines for non-compliance, with a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. 

The amount of the fine depends on a number of factors, including the severity of the violation and the level of cooperation with the supervisory authorities. 

There are several key stakeholders involved in the processing of personal data under the GDPR.  

The data subject is the individual whose personal data is collected and processed. 

The data controller, which can be a physical or legal person, determines the purposes and means of processing the data.  

The data processor, who can also be an organisation or an individual, processes personal data on behalf of the data controller.  

In addition, each EU member state has a supervisory authority that is responsible for monitoring and enforcing compliance with the GDPR. 

Personal data under the GDPR refers to any information that can directly or indirectly identify an individual. The European Commission provides examples such as name, address, email, ID card number, location and IP address, cookies and advertising IDs.  

It’s worth noting that the GDPR’s definition of personal data is comprehensive and includes any data that can identify an individual, either on its own or in combination with other data. 

The GDPR differs from previous data protection regulations in a number of ways.  

One key change is that it extends the territorial scope of data protection laws to companies outside the EU that process the personal data of EU citizens.  

In addition, GDPR imposes stricter requirements for obtaining consent for data processing, strengthens individuals’ rights to access, correct and delete their personal data, and introduces significant fines for non-compliance.  

Another important aspect of GDPR is its emphasis on accountability and data protection by design and by default, which means that companies must take proactive measures to protect individuals’ personal data. 

Under the GDPR, personal data may only be processed if there is a valid lawful basis for doing so. The GDPR provides six bases for processing: 

• Consent: The data subject has given clear and unambiguous consent to the processing of his or her personal data for one or more specific purposes.
• Contract: The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation: Processing is necessary to comply with a legal obligation to which the controller is subject.
• Vital interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
• Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Legitimate Interest Assessment (or “LIA”) is a process used by data controllers to determine whether their legitimate interests, or those of a third party, override the interests, rights and freedoms of data subjects.  

This assessment is necessary, under the GDPR, in order to rely on the lawful basis of legitimate interests for the processing of personal data.  

The LIA involves a careful balancing of the controller’s interests against the rights and freedoms of data subjects, taking into account factors such as the nature of the data, the purposes of the processing, and the potential impact on individuals. 

No, the GDPR does not require personal data of EU residents to be stored or processed within the EU.  

However, if the data is transferred outside the EU, the GDPR requires the controller or processor to ensure an adequate level of protection for the data.  

To comply with the GDPR, we developed a data processing addendum that incorporates the European Commission’s Standard Contractual Clauses. This standardised and legally approved mechanism allows us to protect the personal data of EU residents during data transfers outside the EU. 

Here are some helpful links for further reading and guidance on GDPR compliance: 

Official text of the GDPR: https://eur-lex.europa.eu/eli/reg/2016/679/oj  

European Commission’s webpage  on data protection in the EU: https://commission.europa.eu/law/law-topic/data-protection_en  

List of supervisory authorities under the GDPR: https://edpb.europa.eu/about-edpb/about-edpb/members_en  

Official website of the European Data Protection Board, an independent body that contributes to the consistent application of data protection rules across the EU: https://edpb.europa.eu/edpb_en  

Please note that these resources are provided for information purposes only and we do not endorse the content of these sites.